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Abstract 


This  recommendation  defines  five  confidentiality  modes  of  operation  for  use  with  an  underlying 
symmetric  key  block  cipher  algorithm:  Electronic  Codebook  (ECB),  Cipher  Block  Chaining 
(CBC),  Cipher  Eeedback  (CEB),  Output  Eeedback  (OEB),  and  Counter  (CTR).  Used  with  an 
underlying  block  cipher  algorithm  that  is  approved  in  a  Eederal  Information  Processing  Standard 
(EIPS),  these  modes  can  provide  cryptographic  protection  for  sensitive,  but  unclassified, 
computer  data. 
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1  Purpose 


This  publication  provides  recommendations  regarding  modes  of  operation  to  be  used  with 
symmetric  key  block  cipher  algorithms. 


2  Authority 

This  document  has  been  developed  by  the  National  Institute  of  Standards  and  Technology 
(NIST)  in  furtherance  of  its  statutory  responsibilities  under  the  Computer  Security  Act  of  1987 
(Public  Law  100-235)  and  the  Information  Technology  Management  Reform  Act  of  1996, 
specifically  15  U.S.C.  278  g-3(a)(5).  This  is  not  a  guideline  within  the  meaning  of  15  U.S.C.  278 
g-3  (a)(5). 

This  recommendation  is  neither  a  standard  nor  a  guideline,  and  as  such,  is  neither  mandatory  nor 
binding  on  Federal  agencies.  Federal  agencies  and  non-government  organizations  may  use  this 
recommendation  on  a  voluntary  basis.  It  is  not  subject  to  copyright. 

Nothing  in  this  recommendation  should  be  taken  to  contradict  standards  and  guidelines  that  have 
been  made  mandatory  and  binding  upon  Federal  agencies  by  the  Secretary  of  Commerce  under 
his  statutory  authority.  Nor  should  this  recommendation  be  interpreted  as  altering  or  superseding 
the  existing  authorities  of  the  Secretary  of  Commerce,  the  Director  of  the  Office  of  Management 
and  Budget,  or  any  other  Federal  official. 

Conformance  testing  for  implementations  of  the  modes  of  operation  that  are  specified  in  this 
recommendation  will  be  conducted  within  the  framework  of  the  Cryptographic  Module 
Validation  Program  (CMVP),  a  joint  effort  of  the  NIST  and  the  Communications  Security 
Establishment  of  the  Government  of  Canada.  An  implementation  of  a  mode  of  operation  must 
adhere  to  the  requirements  in  this  recommendation  in  order  to  be  validated  under  the  CMVP. 

3  Introduction 

This  recommendation  specifies  five  confidentiality  modes  of  operation  for  symmetric  key  block 
cipher  algorithms,  such  as  the  algorithm  specified  in  FIPS  Pub.  197,  the  Advanced  Encryption 
Standard  (AES)  [2].  The  modes  may  be  used  in  conjunction  with  any  symmetric  key  block  cipher 
algorithm  that  is  approved  by  a  Eederal  Information  Processing  Standard  (PIPS).  The  five 
modes — the  Electronic  Codebook  (ECB),  Cipher  Block  Chaining  (CBC),  Cipher  Peedback 
(CEB),  Output  Peedback  (OPB),  and  Counter  (CTR)  modes — can  provide  data  confidentiality. 

Two  PIPS  publications  already  approve  confidentiality  modes  of  operation  for  two  particular 
block  cipher  algorithms.  PIPS  Pub.  81  [4]  specifies  the  ECB,  CBC,  CEB,  and  OPB  modes  of  the 
Data  Encryption  Standard  (DES).  PIPS  Pub.  46-3  [3]  approves  the  seven  modes  that  are 
specified  in  ANSI  X9.52  [I].  Pour  of  these  modes  are  equivalent  to  the  ECB,  CBC,  CEB,  and 
OPB  modes  with  the  Triple  DES  algorithm  (TDEA)  as  the  underlying  block  cipher;  the  other 
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three  modes  in  ANSI  X9.52  are  variants  of  the  CBC,  CFB,  and  OFB  modes  of  Triple  DBS  that 
use  interleaving  or  pipelining. 

Thus,  there  are  three  new  elements  in  this  recommendation:  1)  the  extension  of  the  four 
confidentiality  modes  in  FIPS  Pub  81  for  use  with  any  FIPS-approved  block  cipher;  2)  the 
revision  of  the  requirements  for  these  modes;  and  3)  the  specification  of  an  additional 
confidentiality  mode,  the  CTR  mode,  for  use  with  any  FIPS-approved  block  cipher. 
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4  Definitions,  Abbreviations,  and  Symbois 

4. 1  Definitions  and  Abbreviations 


Bit 

A  binary  digit:  0  or  1 . 

Bit  Error 

The  substitution  of  a  ‘0’  bit  for  a  T’  bit,  or  vice  versa. 

Bit  String 

An  ordered  sequence  of  O’s  and  I’s. 

Block  Cipher 

A  family  of  functions  and  their  inverse  functions  that  is  parameterized 
by  cryptographic  keys;  the  functions  map  bit  strings  of  a  fixed  length  to 
bit  strings  of  the  same  length. 

Block  Size 

The  number  of  bits  in  an  input  (or  output)  block  of  the  block  cipher. 

CBC 

Cipher  Block  Chaining. 

CEB 

Cipher  Eeedback. 

Ciphertext 

Encrypted  data. 

Confidentiality  Mode 

A  mode  that  is  used  to  encipher  plaintext  and  decipher  ciphertext.  The 
confidentiality  modes  in  this  recommendation  are  the  ECB,  CBC,  CEB, 
OEB,  and  CTR  modes. 

CTR 

Counter. 

Cryptographic  Key 

A  parameter  used  in  the  block  cipher  algorithm  that  determines  the 
forward  cipher  operation  and  the  inverse  cipher  operation. 

Data  Block  (Block) 

A  sequence  of  bits  whose  length  is  the  block  size  of  the  block  cipher. 

Data  Segment 
(Segment) 

In  the  CEB  mode,  a  sequence  of  bits  whose  length  is  a  parameter  that 
does  not  exceed  the  block  size. 

Decryption 

(Deciphering) 

The  process  of  a  confidentiality  mode  that  transforms  encrypted  data 
into  the  original  usable  data. 

ECB 

Electronic  Codebook. 

Encryption 

(Enciphering) 

The  process  of  a  confidentiality  mode  that  transforms  usable  data  into 
an  unreadable  form. 
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Exclusive-OR 

The  bitwise  addition,  modulo  2,  of  two  bit  strings  of  equal  length. 

FIPS 

Federal  Information  Processing  Standard. 

Forward  Cipher 
Function  (Forward 
Cipher  Operation) 

One  of  the  two  functions  of  the  block  cipher  algorithm  that  is  selected 
by  the  cryptographic  key. 

Initialization  Vector 
(IV) 

A  data  block  that  some  modes  of  operation  require  as  an  additional 
initial  input. 

Input  Block 

A  data  block  that  is  an  input  to  either  the  forward  cipher  function  or  the 
inverse  cipher  function  of  the  block  cipher  algorithm. 

Inverse  Cipher 

Function  (Inverse 

Cipher  Operation) 

The  function  that  reverses  the  transformation  of  the  forward  cipher 
function  when  the  same  cryptographic  key  is  used. 

Feast  Significant 

Bit(s) 

The  right-most  bit(s)  of  a  bit  string. 

Mode  of  Operation 
(Mode) 

An  algorithm  for  the  cryptographic  transformation  of  data  that  features 
a  symmetric  key  block  cipher  algorithm. 

Most  Significant  Bit(s) 

The  left-most  bit(s)  of  a  bit  string. 

Nonce 

A  value  that  is  used  only  once. 

Octet 

A  group  of  eight  binary  digits. 

OFB 

Output  Feedback. 

Output  Block 

A  data  block  that  is  an  output  of  either  the  forward  cipher  function  or 
the  inverse  cipher  function  of  the  block  cipher  algorithm. 

Plaintext 

Usable  data  that  is  formatted  as  input  to  a  mode. 
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4.2  Symbols 

4.2. 1  Variables 

b  The  block  size,  in  bits. 

j  The  index  to  a  sequence  of  data  blocks  or  data  segments  ordered  from  left 

to  right. 

n  The  number  of  data  blocks  or  data  segments  in  the  plaintext. 

s  The  number  of  bits  in  a  data  segment. 

u  The  number  of  bits  in  the  last  plaintext  or  ciphertext  block. 

Cj  The  f  ciphertext  block. 

Cj  The  j  ciphertext  segment. 

C  „  The  last  block  of  the  ciphertext,  which  may  be  a  partial  block. 

Ij  The  y*  input  block. 

IV  The  initialization  vector. 

K  The  secret  key. 

O,  The  y*  output  block. 

Pj  The  y*  plaintext  block. 

P  J  The  j  plaintext  segment. 

P  „  The  last  block  of  the  plaintext,  which  may  be  a  partial  block. 

Tj  The  y*  counter  block. 

4.2.2  Operations  and  Functions 

X  I  Y  The  concatenation  of  two  bit  strings  X  and  Y. 

X  ©  T  The  bitwise  exclusive-OR  of  two  bit  strings  X  and  Y  of  the  same  length. 

CIPHf.(X)  The  forward  cipher  function  of  the  block  cipher  algorithm  under  the  key  K  applied 

to  the  data  block  X. 
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C1PH\{X) 

LSBSX) 

msbsx) 


The  inverse  cipher  function  of  the  block  cipher  algorithm  under  the  key  K  applied 
to  the  data  block  X. 

The  bit  string  consisting  of  the  m  least  significant  bits  of  the  bit  string  X. 

The  bit  string  consisting  of  the  m  most  significant  bits  of  the  bit  string  X. 

The  binary  representation  of  the  non-negative  integer  x,  in  m  bits,  where  v<2”. 
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5  Preliminaries 


5. 1  Underlying  Block  Cipher  Algorithm 

This  recommendation  assumes  that  a  FIPS-approved  symmetric  key  block  cipher  algorithm  has 
been  chosen  as  the  underlying  algorithm,  and  that  a  secret,  random  key,  denoted  K,  has  been 
established  among  all  of  the  parties  to  the  communication.  The  cryptographic  key  regulates  the 
functioning  of  the  block  cipher  algorithm  and,  thus,  by  extension,  regulates  the  functioning  of  the 
mode.  The  specifications  of  the  block  cipher  and  algorithms  and  the  modes  are  public,  so  the 
security  of  the  mode  depends,  at  a  minimum,  on  the  secrecy  of  the  key. 

A  confidentiality  mode  of  operation  of  the  block  cipher  algorithm  consists  of  two  processes  that 
are  inverses  of  each  other:  encryption  and  decryption.  Encryption  is  the  transformation  of  a 
usable  message,  called  the  plaintext,  into  an  unreadable  form,  called  the  ciphertext;  decryption  is 
the  transformation  that  recovers  the  plaintext  from  the  ciphertext. 

For  any  given  key,  the  underlying  block  cipher  algorithm  of  the  mode  also  consists  of  two 
functions  that  are  inverses  of  each  other.  These  two  functions  are  often  called  encryption  and 
decryption,  but  in  this  recommendation,  those  terms  are  reserved  for  the  processes  of  the 
confidentiality  modes.  Instead,  as  part  of  the  choice  of  the  block  cipher  algorithm,  one  of  the  two 
functions  is  designated  as  the  forward  cipher  function,  denoted  CIPH^;  the  other  function  is  then 
called  the  inverse  cipher  function,  denoted  CIPH  ‘ f..  The  inputs  and  outputs  of  both  functions  are 
called  input  blocks  and  output  blocks.  The  input  and  output  blocks  of  the  block  cipher  algorithm 
have  the  same  bit  length,  called  the  block  size,  denoted  b. 

5.2  Representation  of  the  Plaintext  and  the  Ciphertext 

For  all  of  the  modes  in  this  recommendation,  the  plaintext  must  be  represented  as  a  sequence  of 
bit  strings;  the  requirements  on  the  lengths  of  the  bit  strings  vary  according  to  the  mode: 

For  the  ECB  and  CBC  modes,  the  total  number  of  bits  in  the  plaintext  must  be  a  multiple  of  the 
block  size,  b;  in  other  words,  for  some  positive  integer  n,  the  total  number  of  bits  in  the  plaintext 
must  be  nb.  The  plaintext  consists  of  a  sequence  of  n  bit  strings,  each  with  bit  length  b.  The  bit 
strings  in  the  sequence  are  called  data  blocks,  and  the  plaintext  is  denoted  P,,  P2,..-,  P„- 

For  the  CFB  mode,  the  total  number  of  bits  in  the  plaintext  must  be  a  multiple  of  a  parameter, 
denoted  s,  that  does  not  exceed  the  block  size;  in  other  words,  for  some  positive  integer  n,  the 
total  number  of  bits  in  the  message  must  be  ns.  The  plaintext  consists  of  a  sequence  of  n  bit 
strings,  each  with  bit  length  s.  The  bit  strings  in  the  sequence  are  called  data  segments,  and  the 
plaintext  is  denoted  P  ^,P  2,.. ■,P  „■ 

For  the  OFB  and  CTR  modes,  the  plaintext  need  not  be  a  multiple  of  the  block  size.  Fet  n  and  u 
denote  the  unique  pair  of  positive  integers  such  that  the  total  number  of  bits  in  the  message  is 
(n-\)b+u,  where  1<  u<  b.  The  plaintext  consists  of  a  sequence  of  n  bit  strings,  in  which  the  bit 
length  of  the  last  bit  string  is  u,  and  the  bit  length  of  the  other  bit  strings  is  b.  The  sequence  is 
denoted  Pi,  Pi,...,  P„.i,  P  „,  and  the  bit  strings  are  called  data  blocks,  although  the  last  bit  string. 
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P  „ ,  may  not  be  a  complete  block. 


For  each  mode,  the  encryption  process  transforms  every  plaintext  data  block  or  segment  into  a 
corresponding  ciphertext  data  block  or  segment  with  the  same  bit  length,  so  that  the  ciphertext  is 
a  sequence  of  data  blocks  or  segments.  The  ciphertext  is  denoted  as  follows:  for  the  ECB  and 
CBC  modes,  C,,  Cj,...,  C„;  for  the  CFB  mode,  C^i,  (f  2,...,  Cf„;  and,  for  the  OFB  and  CTR  modes. 
Cl,  C2,. . .,  C  „,  where  C  „  may  be  a  partial  block. 

The  formatting  of  the  plaintext,  including  in  some  cases  the  appending  of  padding  bits  to  form 
complete  data  blocks  or  data  segments,  is  outside  the  scope  of  this  recommendation.  Padding  is 
discussed  in  Appendix  A. 

5.3  Initialization  Vectors 

The  input  to  the  encryption  processes  of  the  CBC,  CFB,  and  OFB  modes  includes,  in  addition  to 
the  plaintext,  a  data  block  called  the  initialization  vector  (IV),  denoted  IV.  The  IV  is  used  in  an 
initial  step  in  the  encryption  of  a  message  and  in  the  corresponding  decryption  of  the  message. 

The  IV  need  not  be  secret;  however,  for  the  CBC  and  CFB  modes,  the  IV  for  any  particular 
execution  of  the  encryption  process  must  be  unpredictable,  and,  for  the  OFB  mode,  unique  IVs 
must  be  used  for  each  execution  of  the  encryption  process.  The  generation  of  IVs  is  discussed  in 
Appendix  C. 

5.4  Examples  of  Operations  and  Functions 

The  concatenation  operation  on  bit  strings  is  denoted  I  ;  for  example,  001  I  101 11=  001 101 11. 

Given  bit  strings  of  equal  length,  the  exclusive-OR  operation,  denoted  ©,  specifies  the  addition, 
modulo  2,  of  the  bits  in  each  bit  position,  i.e.,  without  carries.  Thus,  1001 1  ©  10101=  001 10,  for 
example. 

The  functions  LSB,.  and  MSB,  return  the  s  least  significant  bits  and  the  s  most  significant  bits  of 
their  arguments.  For  example,  LSB,(n  101 1010)  =  010,  and  M5B,(1 1 101 1010)  =  1110. 

Given  a  positive  integer  m  and  a  non-negative  (decimal)  integer  x  that  is  less  than  2”,  the  binary 
representation  of  x  in  m  bits  is  denoted  [x]„.  For  example,  [45]  ^  =  00101101. 
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6  Block  Cipher  Modes  of  Operation 


The  mathematical  specifications  of  the  five  modes  are  given  in  Sections  6. 1-6.5,  along  with 
descriptions,  illustrations,  and  comments  on  the  potential  for  parallel  processing. 

6. 1  The  Electronic  Codebook  Mode 

The  Electronic  Codebook  (ECB)  mode  is  a  confidentiality  mode  that  features,  for  a  given  key, 
the  assignment  of  a  fixed  ciphertext  block  to  each  plaintext  block,  analogous  to  the  assignment  of 
code  words  in  a  codebook.  The  Electronic  Codebook  (ECB)  mode  is  defined  as  follows: 

ECB  Encryption:  C^  =  CIPHJJ’)  for y  =  1  ...  n. 

ECB  Decryption:  =  CIPH  ‘ JjC)  for y  =  1  ...  n. 

In  ECB  encryption,  the  forward  cipher  function  is  applied  directly  and  independently  to  each 
block  of  the  plaintext.  The  resulting  sequence  of  output  blocks  is  the  ciphertext. 

In  ECB  decryption,  the  inverse  cipher  function  is  applied  directly  and  independently  to  each 
block  of  the  ciphertext.  The  resulting  sequence  of  output  blocks  is  the  plaintext. 


ECB  Encryption 


ECB  Decryption 


Eigure  1 :  The  ECB  Mode 


In  ECB  encryption  and  ECB  decryption,  multiple  forward  cipher  functions  and  inverse  cipher 
functions  can  be  computed  in  parallel. 

In  the  ECB  mode,  under  a  given  key,  any  given  plaintext  block  always  gets  encrypted  to  the 
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same  ciphertext  block.  If  this  property  is  undesirable  in  a  particular  application,  the  ECB  mode 
should  not  be  used. 

The  ECB  mode  is  illustrated  in  Eigure  1 . 

6.2  The  Cipher  Block  Chaining  Mode 

The  Cipher  Block  Chaining  (CBC)  mode  is  a  confidentiality  mode  whose  encryption  process 
features  the  combining  (“chaining”)  of  the  plaintext  blocks  with  the  previous  ciphertext  blocks. 
The  CBC  mode  requires  an  IV  to  combine  with  the  first  plaintext  block.  The  IV  need  not  be 
secret,  but  it  must  be  unpredictable;  the  generation  of  such  IVs  is  discussed  in  Appendix  C. 
Also,  the  integrity  of  the  IV  should  be  protected,  as  discussed  in  Appendix  D.  The  CBC  mode  is 
defined  as  follows: 

CBC  Encryption:  Cj  =  CIPH^(P^  ©  IV); 

q  =  CIPH^P.  ©  C, ,)  for 7  =  2  ...  n. 

CBC  Decryption:  P,  =  C1PH\{C,)  ©  IV; 

P^  =  CIPH  \iC)  ©  q,,  for;  =  2  ...  n. 


Eigure  2:  The  CBC  Mode 


In  CBC  encryption,  the  first  input  block  is  formed  by  exclusive- ORing  the  first  block  of  the 
plaintext  with  the  IV.  The  forward  cipher  function  is  applied  to  the  first  input  block,  and  the 
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resulting  output  block  is  the  first  block  of  the  ciphertext.  This  output  block  is  also  exclusive- 
ORed  with  the  second  plaintext  data  block  to  produce  the  second  input  block,  and  the  forward 
cipher  function  is  applied  to  produce  the  second  output  block.  This  output  block,  which  is  the 
second  ciphertext  block,  is  exclusive-ORed  with  the  next  plaintext  block  to  form  the  next  input 
block.  Each  successive  plaintext  block  is  exclusive-ORed  with  the  previous  output/ciphertext 
block  to  produce  the  new  input  block.  The  forward  cipher  function  is  applied  to  each  input  block 
to  produce  the  ciphertext  block. 

In  CBC  decryption,  the  inverse  cipher  function  is  applied  to  the  first  ciphertext  block,  and  the 
resulting  output  block  is  exclusive-ORed  with  the  initialization  vector  to  recover  the  first 
plaintext  block.  The  inverse  cipher  function  is  also  applied  to  the  second  ciphertext  block,  and 
the  resulting  output  block  is  exclusive-ORed  with  the  first  ciphertext  block  to  recover  the  second 
plaintext  block.  In  general,  to  recover  any  plaintext  block  (except  the  first),  the  inverse  cipher 
function  is  applied  to  the  corresponding  ciphertext  block,  and  the  resulting  block  is  exclusive- 
ORed  with  the  previous  ciphertext  block. 

In  CBC  encryption,  the  input  block  to  each  forward  cipher  operation  (except  the  first)  depends  on 
the  result  of  the  previous  forward  cipher  operation,  so  the  forward  cipher  operations  cannot  be 
performed  in  parallel.  In  CBC  decryption,  however,  the  input  blocks  for  the  inverse  cipher 
function,  i.e.,  the  ciphertext  blocks,  are  immediately  available,  so  that  multiple  inverse  cipher 
operations  can  be  performed  in  parallel. 

The  CBC  mode  is  illustrated  in  Figure  2. 

6.3  The  Cipher  Feedback  Mode 


The  Cipher  Feedback  (CFB)  mode  is  a  confidentiality  mode  that  features  the  feedback  of 
successive  ciphertext  segments  into  the  input  blocks  of  the  forward  cipher  to  generate  output 
blocks  that  are  exclusive-ORed  with  the  plaintext  to  produce  the  ciphertext,  and  vice  versa.  The 
CFB  mode  requires  an  IV  as  the  initial  input  block.  The  IV  need  not  be  secret,  but  it  must  be 
unpredictable;  the  generation  of  such  IVs  is  discussed  in  Appendix  C. 

The  CFB  mode  also  requires  an  integer  parameter,  denoted  s,  such  that  I  <  s  <  b.  In  the 
specification  of  the  CFB  mode  below,  each  plaintext  segment  (P*)  and  ciphertext  segment  (Cf) 
consists  of  s  bits.  The  value  of  s  is  sometimes  incorporated  into  the  name  of  the  mode,  e.g.,  the 
1-bit  CFB  mode,  the  8-bit  CFB  mode,  the  64-bit  CFB  mode,  or  the  128-bit  CFB  mode. 

The  CFB  mode  is  defined  as  follows: 


CFB  Encryption: 


CFB  Decryption: 


=  IV; 

fox i  =  2  ...  n\ 

0^  =  CIPH,(I) 

foxj=  1,  2  ...  n; 

fory  =  1,  2  ...  n. 

h  =  IV; 

I^  =  LSB,_iI,,)\(^,, 

fory  =  2  . . .  n; 
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for;  =  1,  2  ...  n; 
fory  =  1,  2  ...  n. 


O,  =  CIPH,(I) 

P, =  (f,@MSBXO) 

In  CFB  encryption,  the  first  input  block  is  the  IV,  and  the  forward  cipher  operation  is  applied  to 
the  IV  to  produce  the  first  output  block.  The  first  ciphertext  segment  is  produced  by  exclusive- 
ORing  the  first  plaintext  segment  with  the  s  most  significant  bits  of  the  first  output  block.  (The 
remaining  b-s  bits  of  the  first  output  block  are  discarded.)  The  b-s  least  significant  bits  of  the  IV 
are  then  concatenated  with  the  s  bits  of  the  first  ciphertext  segment  to  form  the  second  input 
block.  An  alternative  description  of  the  formation  of  the  second  input  block  is  that  the  bits  of 
the  first  input  block  circularly  shift  s  positions  to  the  left,  and  then  the  ciphertext  segment 
replaces  the  s  least  significant  bits  of  the  result. 

The  process  is  repeated  with  the  successive  input  blocks  until  a  ciphertext  segment  is  produced 
from  every  plaintext  segment.  In  general,  each  successive  input  block  is  enciphered  to  produce 
an  output  block.  The  s  most  significant  bits  of  each  output  block  are  exclusive-ORed  with  the 
corresponding  plaintext  segment  to  form  a  ciphertext  segment.  Each  ciphertext  segment  (except 
the  last  one)  is  “fed  back”  into  the  previous  input  block,  as  described  above,  to  form  a  new  input 
block.  The  feedback  can  be  described  in  terms  of  the  individual  bits  in  the  strings  as  follows:  if 
is  the  jth  input  block,  and  Cf2...c^  is  the  jth  ciphertext  segment,  then  the  0+1)*  input  block 
is  h+lh+2-  ■  ■  h  CjC2-  ■ .  C,. 


Figure  3:  The  CFB  Mode 


In  CFB  decryption,  the  IV  is  the  first  input  block,  and  each  successive  input  block  is  formed  as  in 
CFB  encryption,  by  concatenating  the  b-s  least  significant  bits  of  the  previous  input  block  with 
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the  s  most  significant  bits  of  the  previous  ciphertext.  The  forward  cipher  function  is  applied  to 
each  input  block  to  produce  the  output  blocks.  The  s  most  significant  bits  of  the  output  blocks 
are  exclusive-ORed  with  the  corresponding  ciphertext  segments  to  recover  the  plaintext 
segments. 

In  CFB  encryption,  like  CBC  encryption,  the  input  block  to  each  forward  cipher  function  (except 
the  first)  depends  on  the  result  of  the  previous  forward  cipher  function;  therefore,  multiple 
forward  cipher  operations  cannot  be  performed  in  parallel.  In  CFB  decryption,  the  required 
forward  cipher  operations  can  be  performed  in  parallel  if  the  input  blocks  are  first  constructed  (in 
series)  from  the  IV  and  the  ciphertext. 

The  CFB  mode  is  illustrated  in  Figure  3. 

6.4  The  Output  Feedback  Mode 

The  Output  Feedback  (OFB)  mode  is  a  confidentiality  mode  that  features  the  iteration  of  the 
forward  cipher  on  an  IV  to  generate  a  sequence  of  output  blocks  that  are  exclusive-ORed  with 
the  plaintext  to  produce  the  ciphertext,  and  vice  versa.  The  OFB  mode  requires  that  the  IV  is  a 
nonce,  i.e.,  the  IV  must  be  unique  for  each  execution  of  the  mode  under  the  given  key;  the 
generation  of  such  IVs  is  discussed  in  Appendix  C.  The  OFB  mode  is  defined  as  follows: 

OFB  Encryption:  1,  =  IV; 

O,  =  CIPHfl) 

c,=  P.®0, 

C=P^@MSBlOX 

OFB  Decryption:  1,  =  IV; 

h  =  o,, 

O,  =  CIPHfl) 

P, =  c.  e  o, 

F„  =  C„©M5B„(C»„). 

In  OFB  encryption,  the  IV  is  transformed  by  the  forward  cipher  function  to  produce  the  first 
output  block.  The  first  output  block  is  exclusive-ORed  with  the  first  plaintext  block  to  produce 
the  first  ciphertext  block.  The  forward  cipher  function  is  then  invoked  on  the  first  output  block 
to  produce  the  second  output  block.  The  second  output  block  is  exclusive-ORed  with  the  second 
plaintext  block  to  produce  the  second  ciphertext  block,  and  the  forward  cipher  function  is 
invoked  on  the  second  output  block  to  produce  the  third  output  block.  Thus,  the  successive 
output  blocks  are  produced  from  applying  the  forward  cipher  function  to  the  previous  output 
blocks,  and  the  output  blocks  are  exclusive-ORed  with  the  corresponding  plaintext  blocks  to 
produce  the  ciphertext  blocks.  For  the  last  block,  which  may  be  a  partial  block  of  u  bits,  the 
most  significant  u  bits  of  the  last  output  block  are  used  for  the  exclusive-OR  operation;  the 
remaining  b-u  bits  of  the  last  output  block  are  discarded. 

In  OFB  decryption,  the  IV  is  transformed  by  the  forward  cipher  function  to  produce  the  first 


fory  =  2  . . .  n; 
for;  =  I,  2  ...  n; 
fory  =  I,  2  ...  n-I; 


fory  =  2  . . .  n; 
fory  =  I,  2  ...  n; 
fory  =  I,  2  ...  n-i; 
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output  block.  The  first  output  block  is  exclusive-ORed  with  the  first  ciphertext  block  to  recover 
the  first  plaintext  block.  The  first  output  block  is  then  transformed  by  the  forward  cipher 
function  to  produce  the  second  output  block.  The  second  output  block  is  exclusive-ORed  with 
the  second  ciphertext  block  to  produce  the  second  plaintext  block,  and  the  second  output  block  is 
also  transformed  by  the  forward  cipher  function  to  produce  the  third  output  block.  Thus,  the 
successive  output  blocks  are  produced  from  applying  the  forward  cipher  function  to  the  previous 
output  blocks,  and  the  output  blocks  are  exclusive-ORed  with  the  corresponding  ciphertext 
blocks  to  recover  the  plaintext  blocks.  For  the  last  block,  which  may  be  a  partial  block  of  u  bits, 
the  most  significant  u  bits  of  the  last  output  block  are  used  for  the  exclusive-OR  operation;  the 
remaining  b-u  bits  of  the  last  output  block  are  discarded. 


Figure  4:  The  OFB  Mode 


In  both  OFB  encryption  and  OFB  decryption,  each  forward  cipher  function  (except  the  first) 
depends  on  the  results  of  the  previous  forward  cipher  function;  therefore,  multiple  forward  cipher 
functions  cannot  be  performed  in  parallel.  However,  if  the  IV  is  known,  the  output  blocks  can  be 
generated  prior  to  the  availability  of  the  plaintext  or  ciphertext  data. 

The  OFB  mode  requires  a  unique  IV  for  every  message  that  is  ever  encrypted  under  the  given 
key.  If,  contrary  to  this  requirement,  the  same  IV  is  used  for  the  encryption  of  more  than  one 
message,  then  the  confidentiality  of  those  messages  may  be  compromised.  In  particular,  if  a 
plaintext  block  of  any  of  these  messages  is  known,  say,  the  jth  plaintext  block,  then  the  jth  output 
of  the  forward  cipher  function  can  be  determined  easily  from  the  jth  ciphertext  block  of  the 
message.  This  information  allows  the  jth  plaintext  block  of  any  other  message  that  is  encrypted 
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using  the  same  IV  to  be  easily  recovered  from  the yth  ciphertext  block  of  that  message. 

Confidentiality  may  similarly  be  compromised  if  any  of  the  input  blocks  to  the  forward  cipher 
function  for  the  encryption  of  a  message  is  designated  as  the  IV  for  the  encryption  of  another 
message  under  the  given  key. 

The  OFB  mode  is  illustrated  in  Figure  4. 

6.5  The  Counter  Mode 

The  Counter  (CTR)  mode  is  a  confidentiality  mode  that  features  the  application  of  the  forward 
cipher  to  a  set  of  input  blocks,  called  counters,  to  produce  a  sequence  of  output  blocks  that  are 
exclusive-ORed  with  the  plaintext  to  produce  the  ciphertext,  and  vice  versa.  The  sequence  of 
counters  must  have  the  property  that  each  block  in  the  sequence  is  different  from  every  other 
block.  This  condition  is  not  restricted  to  a  single  message:  across  all  of  the  messages  that  are 
encrypted  under  the  given  key,  all  of  the  counters  must  be  distinct.  In  this  recommendation,  the 
counters  for  a  given  message  are  denoted  T^,  T^,  ...  ,  r„.  Methods  for  generating  counters  are 
discussed  in  Appendix  B.  Given  a  sequence  of  counters,  T,  ,  Tj  ,  ...  ,  r„,  the  CTR  mode  is 
defined  as  follows: 

CTR  Encryption:  =  CIPHJJ')  for 7  =  1,  2  ...  n; 

Cj=Pj@Oj  fory  =  1,  2  ...  n-1; 

C\  =  P\®MSBXOX 

CTR  Decryption:  =  CIPHJJ')  for 7  =  1,  2  ...  n; 

Pj  =  Cj  @  Oj  forj  =  1,  2  . . .  n-l\ 

P\  =  C\®MSBXOX 

In  CTR  encryption,  the  forward  cipher  function  is  invoked  on  each  counter  block,  and  the 
resulting  output  blocks  are  exclusive-ORed  with  the  corresponding  plaintext  blocks  to  produce 
the  ciphertext  blocks.  For  the  last  block,  which  may  be  a  partial  block  of  u  bits,  the  most 
significant  u  bits  of  the  last  output  block  are  used  for  the  exclusive-OR  operation;  the  remaining 
b-u  bits  of  the  last  output  block  are  discarded. 

In  CTR  decryption,  the  forward  cipher  function  is  invoked  on  each  counter  block,  and  the 
resulting  output  blocks  are  exclusive-ORed  with  the  corresponding  ciphertext  blocks  to  recover 
the  plaintext  blocks.  For  the  last  block,  which  may  be  a  partial  block  of  u  bits,  the  most 
significant  u  bits  of  the  last  output  block  are  used  for  the  exclusive-OR  operation;  the  remaining 
b-u  bits  of  the  last  output  block  are  discarded. 

In  both  CTR  encryption  and  CTR  decryption,  the  forward  cipher  functions  can  be  performed  in 
parallel;  similarly,  the  plaintext  block  that  corresponds  to  any  particular  ciphertext  block  can  be 
recovered  independently  from  the  other  plaintext  blocks  if  the  corresponding  counter  block  can 
be  determined.  Moreover,  the  forward  cipher  functions  can  be  applied  to  the  counters  prior  to  the 
availability  of  the  plaintext  or  ciphertext  data. 
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Figure  5:  The  CTR  Mode 


The  CTR  mode  is  illustrated  in  Figure  5. 
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Appendix  A:  Padding 


For  the  ECB,  CBC,  and  CFB  modes,  the  plaintext  must  be  a  sequence  of  one  or  more  complete 
data  blocks  (or,  for  CFB  mode,  data  segments).  In  other  words,  for  these  three  modes,  the  total 
number  of  bits  in  the  plaintext  must  be  a  positive  multiple  of  the  block  (or  segment)  size. 

If  the  data  string  to  be  encrypted  does  not  initially  satisfy  this  property,  then  the  formatting  of  the 
plaintext  must  entail  an  increase  in  the  number  of  bits.  A  common  way  to  achieve  the  necessary 
increase  is  to  append  some  extra  bits,  called  padding,  to  the  trailing  end  of  the  data  string  as  the 
last  step  in  the  formatting  of  the  plaintext.  An  example  of  a  padding  method  is  to  append  a 
single  ‘1’  bit  to  the  data  string  and  then  to  pad  the  resulting  string  by  as  few  ‘0’  bits,  possibly 
none,  as  are  necessary  to  complete  the  final  block  (segment).  Other  methods  may  be  used;  in 
general,  the  formatting  of  the  plaintext  is  outside  the  scope  of  this  recommendation. 

For  the  above  padding  method,  the  padding  bits  can  be  removed  unambiguously,  provided  the 
receiver  can  determine  that  the  message  is  indeed  padded.  One  way  to  ensure  that  the  receiver 
does  not  mistakenly  remove  bits  from  an  unpadded  message  is  to  require  the  sender  to  pad  every 
message,  including  messages  in  which  the  final  block  (segment)  is  already  complete.  For  such 
messages,  an  entire  block  (segment)  of  padding  is  appended.  Alternatively,  such  messages  can 
be  sent  without  padding  if,  for  every  message,  the  existence  of  padding  can  be  reliably  inferred, 
e.g.,  from  a  message  length  indicator. 
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Appendix  B:  Generation  of  Counter  Biocks 


The  specification  of  the  CTR  mode  requires  a  unique  counter  block  for  each  plaintext  block  that 
is  ever  encrypted  under  a  given  key,  across  all  messages.  If,  contrary  to  this  requirement,  a 
counter  block  is  used  repeatedly,  then  the  confidentiality  of  all  of  the  plaintext  blocks 
corresponding  to  that  counter  block  may  be  compromised.  In  particular,  if  any  plaintext  block 
that  is  encrypted  using  a  given  counter  block  is  known,  then  the  output  of  the  forward  cipher 
function  can  be  determined  easily  from  the  associated  ciphertext  block.  This  output  allows  any 
other  plaintext  blocks  that  are  encrypted  using  the  same  counter  block  to  be  easily  recovered 
from  their  associated  ciphertext  blocks. 

There  are  two  aspects  to  satisfying  the  uniqueness  requirement.  First,  an  incrementing  function 
for  generating  the  counter  blocks  from  any  initial  counter  block  can  ensure  that  counter  blocks  do 
not  repeat  within  a  given  message.  Second,  the  initial  counter  blocks,  T,,  must  be  chosen  to 
ensure  that  counters  are  unique  across  all  messages  that  are  encrypted  under  the  given  key. 

B.  1  The  Standard  Incrementing  Function 

In  general,  given  the  initial  counter  block  for  a  message,  the  successive  counter  blocks  are 
derived  by  applying  an  incrementing  function.  As  in  the  above  specifications  of  the  modes,  n  is 
the  number  of  blocks  in  the  given  plaintext  message,  and  b  is  the  number  of  bits  in  the  block. 

The  standard  incrementing  function  can  apply  either  to  an  entire  block  or  to  a  part  of  a  block. 
Let  m  be  the  number  of  bits  in  the  specific  part  of  the  block  to  be  incremented;  thus,  m  is  a 
positive  integer  such  that  m<b.  Any  string  of  m  bits  can  be  regarded  as  the  binary  representation 
of  a  non-negative  integer  x  that  is  strictly  less  than  2”.  The  standard  incrementing  function  takes 
[x]„  and  returns  [v-i-1  mod  2"']„. 

For  example,  let  the  standard  incrementing  function  apply  to  the  five  least  significant  bits  of 
eight  bit  blocks,  so  that  b=S  and  m=5  (unrealistically  small  values);  let  *  represent  each  unknown 
bit  in  this  example,  and  let  ***11110  represent  a  block  to  be  incremented.  The  following 
sequence  of  blocks  results  from  four  applications  of  the  standard  incrementing  function: 

*  *  *  1  1  1  1  0 
*  *  *  1  1  1  1  1 
*  *  *00000 
*  *  *0000  1 
*  *  *000  1  0. 

Counter  blocks  in  which  a  given  set  of  m  bits  are  incremented  by  the  standard  incrementing 
function  satisfy  the  uniqueness  requirement  within  the  given  message  provided  that  n  <  2". 
Whether  the  uniqueness  requirement  for  counter  blocks  is  satisfied  across  all  messages  that  are 
encrypted  under  a  given  key  then  depends  on  the  choices  of  the  initial  counter  blocks  for  the 
messages,  as  discussed  in  the  next  section. 
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This  recommendation  permits  the  use  of  any  other  incrementing  function  that  generates  n  unique 
strings  of  m  bits  in  succession  from  the  allowable  initial  strings.  For  example,  if  the  initial  string 
of  m  bits  is  not  the  “zero”  string,  i.e.,  if  it  contains  at  least  one  T’  bit,  then  an  incrementing 
function  can  be  constructed  from  a  linear  feedback  shift  register  that  is  specialized  to  ensure  a 
sufficiently  large  period;  see  Ref.  [5]  for  information  about  linear  feedback  shift  registers. 

B.2  Choosing  Initial  Counter  Blocks 

The  initial  counter  blocks,  T^,  for  each  message  that  is  encrypted  under  the  given  key  must  be 
chosen  in  a  manner  than  ensures  the  uniqueness  of  all  the  counter  blocks  across  all  the  messages. 
Two  examples  of  approaches  to  choosing  the  initial  counter  blocks  are  given  in  this  section. 

In  the  first  approach,  for  a  given  key,  all  plaintext  messages  are  encrypted  sequentially.  Within 
the  messages,  the  same  fixed  set  of  m  bits  of  the  counter  block  is  incremented  by  the  standard 
incrementing  function.  The  initial  counter  block  for  the  initial  plaintext  message  may  be  any 
string  of  b  bits.  The  initial  counter  block  for  any  subsequent  message  can  be  obtained  by 
applying  the  standard  incrementing  function  to  the  fixed  set  of  m  bits  of  the  final  counter  block 
of  the  previous  message.  In  effect,  all  of  the  plaintext  messages  that  are  ever  encrypted  under  the 
given  key  are  concatenated  into  a  single  message;  consequently,  the  total  number  of  plaintext 
blocks  must  not  exceed  2”.  Procedures  should  be  established  to  ensure  the  maintenance  of  the 
state  of  the  final  counter  block  of  the  latest  encrypted  message,  and  to  ensure  the  proper 
sequencing  of  the  messages. 

A  second  approach  to  satisfying  the  uniqueness  property  across  messages  is  to  assign  to  each 
message  a  unique  string  of  b/2  bits  (rounding  up,  if  b  is  odd),  in  other  words,  a  message  nonce, 
and  to  incorporate  the  message  nonce  into  every  counter  block  for  the  message.  The  leading  b/2 
bits  (rounding  up,  if  b  is  odd)  of  each  counter  block  would  be  the  message  nonce,  and  the 
standard  incrementing  function  would  be  applied  to  the  remaining  m  bits  to  provide  an  index  to 
the  counter  blocks  for  the  message.  Thus,  if  N  is  the  message  nonce  for  a  given  message,  then 
the  jth  counter  block  is  given  hy  =  N  \  [/]„,  for  7  =  The  number  of  blocks,  n,  in  any 

message  must  satisfy  n  <  2".  A  procedure  should  be  established  to  ensure  the  uniqueness  of  the 
message  nonces. 

This  recommendation  allows  other  methods  and  approaches  for  achieving  the  uniqueness 
property.  Validation  that  an  implementation  of  the  CTR  mode  conforms  to  this  recommendation 
will  typically  include  an  examination  of  the  procedures  for  assuring  the  uniqueness  of  counter 
blocks  within  messages  and  across  all  messages  that  are  encrypted  under  a  given  key. 
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Appendix  C:  Generation  of  initiaiization  Vectors 


The  CBC,  CFB,  and  OFB  modes  require  an  initialization  vector  as  input,  in  addition  to  the 
plaintext.  An  IV  must  be  generated  for  each  execution  of  the  encryption  operation,  and  the  same 
IV  is  necessary  for  the  corresponding  execution  of  the  decryption  operation.  Therefore,  the  IV,  or 
information  that  is  sufficient  to  calculate  the  IV,  must  be  available  to  each  party  to  the 
communication. 

The  IV  need  not  be  secret,  so  the  IV,  or  information  sufficient  to  determine  the  IV,  may  be 
transmitted  with  the  ciphertext. 

For  the  CBC  and  CFB  modes,  the  IVs  must  be  unpredictable.  In  particular,  for  any  given 
plaintext,  it  must  not  be  possible  to  predict  the  IV  that  will  be  associated  to  the  plaintext  in 
advance  of  the  generation  of  the  IV. 

There  are  two  recommended  methods  for  generating  unpredictable  IVs.  The  first  method  is  to 
apply  the  forward  cipher  function,  under  the  same  key  that  is  used  for  the  encryption  of  the 
plaintext,  to  a  nonce.  The  nonce  must  be  a  data  block  that  is  unique  to  each  execution  of  the 
encryption  operation.  For  example,  the  nonce  may  be  a  counter,  as  described  in  Appendix  B,  or 
a  message  number.  The  second  method  is  to  generate  a  random  data  block  using  a  FIPS- 
approved  random  number  generator. 

For  the  OFB  mode,  the  IV  need  not  be  unpredictable,  but  it  must  be  a  nonce  that  is  unique  to 
each  execution  of  the  encryption  operation.  For  example,  the  nonce  may  be  a  counter,  as 
described  in  Appendix  B,  or  a  message  number. 

If,  contrary  to  this  requirement,  the  same  IV  is  used  for  the  OFB  encryption  of  more  than  one 
message,  then  the  confidentiality  of  those  messages  may  be  compromised.  In  particular,  if  a 
plaintext  block  of  any  of  these  messages  is  known,  say,  the  jth  plaintext  block,  then  the  jth  output 
of  the  forward  cipher  function  can  be  determined  easily  from  the  yth  ciphertext  block  of  the 
message.  This  information  allows  the  jth  plaintext  block  of  any  other  message  that  is  encrypted 
using  the  same  IV  to  be  easily  recovered  from  the  jth  ciphertext  block  of  that  message. 

Confidentiality  may  similarly  be  compromised  if  any  of  the  input  blocks  to  the  forward  cipher 
function  for  the  OFB  encryption  of  a  message  is  designated  as  the  IV  for  the  encryption  of 
another  message  under  the  given  key.  One  consequence  of  this  observation  is  that  IVs  for  the 
OFB  mode  should  not  be  generated  by  invoking  the  block  cipher  on  another  IV. 

Validation  that  an  implementation  of  the  CBC,  CFB,  or  OFB  mode  conforms  to  this 
recommendation  will  typically  include  an  examination  of  the  procedures  for  assuring  the 
unpredictability  or  uniqueness  of  the  IV. 
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Appendix  D:  Error  Properties 


A  bit  error  is  the  substitution  of  a  ‘0’  bit  for  a  ‘1’  bit,  or  vice  versa.  This  appendix  contains  a 
discussion  of  the  effects  of  bit  errors  in  ciphertext  blocks  (or  segments),  counter  blocks,  and  IVs 
on  the  modes  in  this  recommendation.  Insertion  or  deletion  of  bits  into  ciphertext  blocks  (or 
segments)  is  also  discussed. 

For  any  confidentiality  mode,  if  there  are  any  bit  errors  in  a  single  ciphertext  block  (or  segment), 
then  the  decryption  of  that  ciphertext  block  (or  segment)  will  be  incorrect,  i.e.,  it  will  differ  from 
the  original  plaintext  block  (or  segment).  In  the  CFB,  OFB,  and  CTR  modes,  the  bit  error(s)  in 
the  decrypted  ciphertext  block  (or  segment)  occur  in  the  same  bit  position(s)  as  in  the  ciphertext 
block  (or  segment);  the  other  bit  positions  are  not  affected.  In  the  ECB  and  CBC  modes,  a  bit 
error  may  occur,  independently,  in  any  bit  position  of  the  decrypted  ciphertext  block,  with  an 
expected  error  rate  of  fifty  percent,  depending  on  the  strength  of  the  underlying  block  cipher. 

For  the  ECB,  OEB,  and  CTR  modes,  bit  errors  within  a  ciphertext  block  do  not  affect  the 
decryption  of  any  other  blocks.  In  the  CBC  mode,  any  bit  positions  that  contain  bit  errors  in  a 
ciphertext  block  will  also  contain  bit  errors  in  the  decryption  of  the  succeeding  ciphertext  block; 
the  other  bit  positions  are  not  affected.  In  the  CEB  mode,  bit  errors  in  a  ciphertext  segment  affect 
the  decryption  of  the  next  b/s  (rounded  up  to  the  nearest  integer)  ciphertext  segments.  A  bit  error 
may  occur,  independently,  in  any  bit  position  in  these  decrypted  segments,  with  an  expected 
error  rate  of  fifty  percent. 

Similarly,  for  the  CTR  mode,  if  there  is  a  bit  error  in  a  counter  block,  then  a  bit  error  may  occur, 
independently,  in  any  bit  position  of  the  decryption  of  the  corresponding  ciphertext,  with  an 
expected  error  rate  of  fifty  percent. 

Bit  errors  in  IVs  also  affect  the  decryption  process.  In  the  OEB  mode,  bit  errors  in  the  IV  affect 
the  decryption  of  every  ciphertext  block.  In  the  CEB  mode,  bit  errors  in  the  IV  affect,  at  a 
minimum,  the  decryption  of  the  first  ciphertext  segment,  and  possibly  successive  ciphertext 
segments,  depending  on  the  bit  position  of  the  rightmost  bit  error  in  the  IV.  (In  general,  a  bit 
error  in  the  ith  most  significant  bit  position  affects  the  decryptions  of  the  first  i/s  (rounding  up) 
ciphertext  segments.)  Eor  both  the  OEB  and  CEB  modes,  a  bit  error  may  occur,  independently, 
in  any  bit  position  of  the  affected  ciphertext  blocks  (or  segments),  with  an  expected  error  rate  of 
fifty  percent.  In  the  CBC  mode,  if  bit  errors  occur  in  the  IV,  then  the  first  ciphertext  block  will 
be  decrypted  incorrectly,  and  bit  errors  will  occur  in  exactly  the  same  bit  positions  as  in  the  IV; 
the  decryptions  of  the  other  ciphertext  blocks  are  not  affected. 

Consequently,  for  the  CBC  mode,  the  decryption  of  the  first  ciphertext  block  is  vulnerable  to  the 
(deliberate)  introduction  of  bit  errors  in  specific  bit  positions  of  the  IV  if  the  integrity  of  the  IV  is 
not  protected.  Similarly,  for  the  OEB  and  CTR  modes,  the  decryption  of  any  ciphertext  block  is 
vulnerable  to  the  introduction  of  specific  bit  errors  into  that  ciphertext  block  if  its  integrity  is  not 
protected.  The  same  property  also  holds  for  the  ciphertext  segments  in  the  CEB  mode;  however, 
for  every  ciphertext  segment  except  the  last  one,  the  existence  of  such  bit  errors  may  be  detected 
by  their  randomizing  effect  on  the  decryption  of  the  succeeding  ciphertext  segment. 
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Table  D.  1  summarizes  the  effects  of  bit  errors  in  a  ciphertext  block  or  IV  on  the  decryption  of  the 
ciphertext  for  each  of  the  five  confidentiality  modes. 


Table  D.le  five  confidentiality  modes. 


Table  D.2:  Summary  of  Effect  of  Bit  Errors  on  Decryption 


Mode 

Effect  of  Bit  Errors  in  C, 

Effect  of  Bit  Errors  in  the  IV 

ECB 

RBE  in  the  decryption  of  C, 

Not  applicable 

CBC 

RBE  in  the  decryption  of  Cj 

SBE  in  the  decryption  of  C.  ., 

SBE  in  the  decryption  of  C, 

CEB 

SBE  in  the  decryption  of  C, 

RBE  in  the  decryption  of  C.  . . C.  ,.,. 

RBE  in  the  decryption  of  C„  Q,  ...,  C, 
for  some  i  between  1  and  b/s 

OEB 

SBE  in  the  decryption  of  C, 

RBE  in  the  decryption  of  C„  Q,  ...,  C„ 

CTR 

SBE  in  the  decryption  of  C- 

Not  applicable  * 

RBE:  random  bit  errors,  i.e.,  bit  errors  occur  independently  in  any  bit  position  with  an 
expected  probability  of  Vi. 

SBE:  specific  bit  errors,  i.e.,  bit  errors  occur  in  the  same  bit  position(s)  as  the  original  bit 
error(s). 

*  Bit  errors  in  the  yth  counter  block,  T-,  result  in  RBE  in  the  decryption  of  C-. 

The  deletion  or  insertion  of  bits  into  a  ciphertext  block  (or  segment)  spoils  the  synchronization  of 
the  block  (or  segment)  boundaries;  in  effect,  bit  errors  may  occur  in  the  bit  position  of  the 
inserted  or  deleted  bit,  and  in  every  subsequent  bit  position.  Therefore,  the  decryptions  of  the 
subsequent  ciphertext  blocks  (or  segments)  will  almost  certainly  be  incorrect  until  the 
synchronization  is  restored.  When  the  1-bit  CEB  mode  is  used,  then  the  synchronization  is 
automatically  restored  b+l  positions  after  the  inserted  or  deleted  bit.  Eor  other  values  of  s  in  the 
CEB  mode,  and  for  the  other  confidentiality  modes  in  this  recommendation,  the  synchronization 
must  be  restored  externally. 
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Appendix  E:  Modes  of  Triple  DES 


FIPS  Pub  46-3  [FIPS  46-3]  specifies  the  Data  Encryption  Standard  (DES)  algorithm  and 
approves  its  three-fold,  compound  operation  that  is  specified  in  ANSI  X9.52  [1]:  the  Triple  Data 
Encryption  Algorithm  (TDEA).  Essentially,  the  TDEA  consists  of  the  application  of  the  forward 
DES  algorithm,  i.e,  DES  encryption,  under  one  key,  followed  by  the  application  of  the  inverse 
DES  algorithm,  i.e.,  DES  decryption,  under  a  second  key,  followed  by  the  application  of  the 
forward  DES  algorithm  under  a  third  key.  The  TDEA  is  often  called  Triple  DES. 

EIPS  Pub  46-3  also  approves  the  seven  modes  of  operation  of  Triple  DES  that  are  specified  in 
ANSI  X9.52.  Eour  of  those  modes  are  equivalent  to  modes  in  this  recommendation  with  the 
TDEA  as  the  underlying  block  cipher.  In  particular,  the  TECB,  TCBC,  and  TOEB  modes  in 
ANSI  X9.52  are  equivalent  to  the  ECB,  CBC,  and  OEB  modes  in  this  recommendation,  with  the 
TDEA  as  the  underlying  block  cipher;  the  TCEB  mode  in  ANSI  X9.52  is  equivalent  to  the  CEB 
mode  in  this  recommendation,  with  the  TDEA  as  the  underlying  block  cipher,  provided  that  the 
possible  choices  of  the  parameter  s  (the  segment  size)  are  restricted  to  three  values:  1,  8,  and  64. 
The  remaining  three  modes  in  ANSI  X9.52  are  TCBC-I,  TCEB-P,  and  TOEB-I;  they  are  mode 
variants  that  allow  for  interleaving  or  pipelining;  this  recommendation  does  not  provide 
analogues  of  these  three  modes. 

The  Triple  DES  modes  in  ANSI  X9.52  should  not  be  used  as  the  underlying  block  cipher 
algorithm  for  the  modes  in  this  recommendation.  However,  the  Triple  DES  algorithm,  i.e., 
TDEA,  as  described  above,  may  be  used  as  the  underlying  block  cipher  algorithm  for  the  six 
modes  in  this  recommendation.  One  of  the  resulting  modes  of  Triple  DES  is  new,  i.e.,  not 
specified  in  ANSI  X9.52:  the  CTR  mode  of  the  TDEA. 
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Appendix  F:  Example  Vectors  for  Modes  of  Operation  of  the  AES 


In  this  appendix,  three  examples  are  provided  for  each  of  the  modes  in  this  recommendation  with 
the  AES  algorithm  [2]  as  the  underlying  block  cipher:  one  example  is  given  for  each  of  the 
allowed  key  sizes  (128,  192,  and  256  bits).  Some  intermediate  results  are  presented.  For  the  five 
confidentiality  modes,  examples  are  provided  for  both  encryption  and  decryption.  Examples  are 
provided  for  1-bit,  8-bit,  and  128  bit  CEB.  The  plaintext  for  all  but  two  of  these  examples  is 
equivalent  to  the  following  string  of  hexadecimal  characters,  formatted  into  four  128  bit  blocks: 

6bclbee22e409f96e93d7el 173 93172a 
ae2d8a571e03ac9c9eb76fac45af8e51 
30c81c46a35ce411e5fbcll91a0a52ef 
f 69f2445df4f 9bl7ad2b417be66c3710 . 


For  the  example  of  1-bit  CEB,  the  plaintext  is  the  first  16  bits  in  the  above  string;  for  the  example 
of  8-bit  CEB,  the  plaintext  is  the  first  18  octets  in  the  above  string.  All  strings  are  presented  in 
hexadecimal  notation,  except  in  the  example  of  1-bit  CEB,  where  the  plaintext  and  ciphertext 
segments  are  single  bits. 

F.  1  ECB  Example  Vectors 


F.1.1  ECB- AES  128.  Encrypt 

Key  2b7el51628aed2a6abf715880 

Block  #1 


Plaintext 
Input  Block 
Output  Block 
Ciphertext 
Block  #2 
Plaintext 
Input  Block 
Output  Block 
Ciphertext 
Block  #3 
Plaintext 
Input  Block 
Output  Block 
Ciphertext 
Block  #4 
Plaintext 
Input  Block 
Output  Block 
Ciphertext 


6bclbee22e409f 96e93d7ell7 
6bclbee22e409f 96e93d7ell7 
3ad7  7bb4  0d7a3  6  60a8  9ecaf 32 
3ad7  7bb4  0d7a3  6  60a8  9ecaf 32 


ae2d8a571e03ac9c9eb76fac4 

ae2d8a571e03ac9c9eb76fac4 

f5d3d58503b9699de785895a9 

f5d3d58503b9699de785895a9 

30c81c46a35ce411e5fbcll91 

30c81c46a35ce411e5fbcll91 

43blcd7f598ece23881b00e3e 

43blcd7f598ece23881b00e3e 

f 69f2445df4f 9bl7ad2b417be 
f 69f2445df4f 9bl7ad2b417be 
7b0c785e27e8ad3f822320710 
7b0c785e27e8ad3f822320710 


9cf4f3c 

393172a 
393172a 
4  6  6ef  97 
4  6  6ef  97 

5af  8e51 
5af  8e51 
6f dbaaf 
6f dbaaf 


a0a52ef 

a0a52ef 

d030688 

d030688 

66c3710 

66c3710 

4725dd4 

4725dd4 


F.  1.2  ECB-AES 128.  Decrypt 

Key  2b7el51628aed2a6abf7158809cf4f3c 

Block  #1 


Ciphertext  3ad7  7bb4  0d7a3  6  60a8  9ecaf 32  4  6  6ef 97 

Input  Block  3ad77bb40d7a3660a89ecaf32466ef 97 
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Output  Block 
Plaintext 
Block  #2 
Ciphertext 
Input  Block 
Output  Block 
Plaintext 
Block  #3 
Ciphertext 
Input  Block 
Output  Block 
Plaintext 
Block  #4 
Ciphertext 
Input  Block 
Output  Block 
Plaintext 


6bclbee22e409f96e93d7el 173 93172a 
6bclbee22e409f96e93d7el 173 93172a 

f5d3d58503b9699de785895a96fdbaaf 

f5d3d58503b9699de785895a96fdbaaf 

ae2d8a571e03ac9c9eb76fac45af8e51 

ae2d8a571e03ac9c9eb76fac45af8e51 

43blcd7f598ece23881b00e3ed030688 

43blcd7f598ece23881b00e3ed030688 

30c81c46a35ce411e5fbcll91a0a52ef 

30c81c46a35ce411e5fbcll91a0a52ef 

7b0c7 85e27e8ad3f 82232 07 104725dd4 
7b0c7 85e27e8ad3f 82232 07 104725dd4 
f 69f2445df4f 9bl7ad2b417be66c3710 
f 69f2445df4f 9bl7ad2b417be66c3710 


F.1.3  ECB-AES192.Encrypt 

Key  8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b 

Block  #1 


Plaintext 
Input  Block 
Output  Block 
Ciphertext 
Block  #2 


6bclbee22e409f96e93d7el 173 93172a 
6bclbee22e409f96e93d7el 173 93172a 
bd334fld6e45f25ff712a214571fa5cc 
bd334fld6e45f25ff712a214571fa5cc 


Plaintext 


ae2d8a571e03ac9c9eb76fac45af8e51 


Input  Block 
Output  Block 
Ciphertext 
Block  #3 
Plaintext 
Input  Block 
Output  Block 
Ciphertext 
Block  #4 
Plaintext 
Input  Block 
Output  Block 
Ciphertext 


ae2d8a571e03ac9c9eb76fac45af8e51 
97  4 1 04  84  6d0ad3ad7734ecb3ecee4eef 
97  4 1 04  84  6d0ad3ad7734ecb3ecee4eef 

30c81c46a35ce411e5fbcll91a0a52ef 
30c81c46a35ce411e5fbcll91a0a52ef 
ef 7afd2270e2e60adce0ba2f ace6444e 
ef 7afd2270e2e60adce0ba2f ace6444e 

f 69f2445df4f 9bl7ad2b417be66c3710 
f 69f2445df4f 9bl7ad2b417be66c3710 
9a4b41ba738d6c72fbl6691603cl8e0e 
9a4b41ba738d6c72fbl6691603cl8e0e 


F.1.4  ECB-AES192.  Decrypt 

Key  8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b 

Block  #1 


Ciphertext 
Input  Block 
Output  Block 
Plaintext 


bd334fld6e45f25ff712a214571fa5cc 
bd334fld6e45f25ff712a214571fa5cc 
6bclbee22e409f96e93d7el 173 93172a 
6bclbee22e409f96e93d7el 173 93172a 


Block  #2 


Ciphertext 
Input  Block 
Output  Block 
Plaintext 


97  4 1 04  84  6d0ad3ad7734ecb3ecee4eef 
97  4 1 04  84  6d0ad3ad7734ecb3ecee4eef 
ae2d8a571e03ac9c9eb76fac45af8e51 
ae2d8a571e03ac9c9eb76fac45af8e51 
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Block  #3 

Ciphertext  ef 7afd2270e2e60adce0ba2f ace6444e 
Input  Block  ef 7afd2270e2e60adce0ba2f ace6444e 
Output  Block  30c81c46a35ce411e5fbcll91a0a52ef 
Plaintext  30c81c46a35ce411e5fbcll91a0a52ef 
Block  #4 

Ciphertext  9a4b41ba738d6c72fbl6691603cl8e0e 
Input  Block  9a4b41ba738d6c72fbl6691603cl8e0e 
Output  Block  f 69f2445df4f 9bl7ad2b417be66c3710 
Plaintext  f 69f2445df 4f 9bl7ad2b417be66c3710 

F.1.5  E  CB-AES256.  Encrypt 

Key  603debl015ca71be2b73aef 0857d7781 

If352c073b6108d72d9810a30914dff4 

Block  #1 

Plaintext  6bclbee22e409f96e93d7ell7393172a 
Input  Block  6bclbee22e409f 96e93d7ell7393172a 
Output  Block  f3eedlbdb5d2a03c064b5a7e3dbl81f 8 
Ciphertext  f 3eedlbdb5d2a03c0  64b5a7e3dbl 8  If 8 
Block  #2 

Plaintext  ae2d8a571e03ac9c9eb76fac45af8e51 
Input  Block  ae2d8a571e03ac9c9eb76fac45af 8e51 
Output  Block  591ccbl0d410ed26dc5ba74a31362870 
Ciphertext  591ccbl0d410ed26dc5ba74a31362870 
Block  #3 

Plaintext  30c81c46a35ce411e5fbcll91a0a52ef 
Input  Block  30c81c46a35ce411e5fbcll91a0a52ef 
Output  Block  b6ed21b99ca6f 4f 9f 153e7blbeafedld 
Ciphertext  b6ed21b99ca6f4f9fl53e7blbeafedld 
Block  #4 

Plaintext  f 69f2445df 4f 9bl7ad2b417be66c3710 
Input  Block  f 69f2445df4f 9bl7ad2b417be66c3710 
Output  Block  23304b7a39f 9f3ff 067d8d8f 9e24ecc7 
Ciphertext  23304b7a39f9f3ff067d8d8f9e24ecc7 

F.1.6  ECB-AES256.  Decrypt 

Key  603debl015ca71be2b73aef 0857d7781 

If352c073b6108d72d9810a30914dff4 

Block  #1 

Ciphertext  f 3eedlbdb5d2a03c0  64b5a7e3dbl 8  If 8 
Input  Block  f3eedlbdb5d2a03c064b5a7e3dbl81f 8 
Output  Block  6bclbee22e409f 96e93d7ell7393172a 
Plaintext  6bclbee22e409f96e93d7ell7393172a 
Block  #2 

Ciphertext  591ccbl0d410ed26dc5ba74a31362870 
Input  Block  591ccbl0d410ed26dc5ba74a31362870 
Output  Block  ae2d8a571e03ac9c9eb76fac45af 8e51 
Plaintext  ae2d8a571e03ac9c9eb76fac45af8e51 
Block  #3 

Ciphertext  b6ed21b99ca6f4f9fl53e7blbeafedld 
Input  Block  b6ed21b99ca6f 4f 9f 153e7blbeafedld 
Output  Block  30c81c46a35ce411e5fbcll91a0a52ef 
Plaintext  30c81c46a35ce411e5fbcll91a0a52ef 
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Block  #4 

Ciphertext  23304b7a39f9f3ff067d8d8f9e24ecc7 
Input  Block  23304b7a39f 9f3ff 067d8d8f 9e24ecc7 
Output  Block  f 69f2445df4f 9bl7ad2b417be66c3710 
Plaintext  f 69f2445df 4f 9bl7ad2b417be66c3710 

F.2  CBC  Example  Vectors 

F.2.1  CBC-AES1 28. Encrypt 

Key  2b7el51 628 aed2a6ab 1715880 9cf4f3c 
IV  0001020304050 607080 90a0b0c0d0e0f 
Block  #1 

Plaintext  6bclbee22e409f96e93d7ell7393172a 
Input  Block  6bc0bcel2a459991el34741a7f 9el925 
Output  Block  7 64 9abac8 1 1 9b24 6cee98e9bl2e91 97d 
Ciphertext  7649abac8119b246cee98e9bl2e9197d 
Block  #2 

Plaintext  ae2d8a571e03ac9c9eb76fac45af8e51 
Input  Block  d86421fb9f Ialeda505eel375746972c 
Output  Block  50 8 6cb9b5072 1 9ee95dbl 13a917 67 8b2 
Ciphertext  5086cb9b507219ee95dbll3a917678b2 
Block  #3 

Plaintext  30c81c46a35ce411e5fbcll91a0a52ef 
Input  Block  604ed7ddf32efdff7020d0238b7c2a5d 
Output  Block  73bed6b8e3cl743b7116e69e22229516 
Ciphertext  73bed6b8e3cl743b7116e69e22229516 
Block  #4 

Plaintext  f 69f2445df 4f 9bl7ad2b417be66c3710 
Input  Block  8521f2fd3c8eef2cdc3da7e5c44ea206 
Output  Block  3ff Icaal681fac09120eca307586ela7 
Ciphertext  3fflcaal681fac09120eca307586ela7 

F.2.2  CBC- AES1 28. Decrypt 

Key  2b7el51 628 aed2a6ab 1715880 9cf4f3c 
IV  0001020304050 607080 90a0b0c0d0e01 
Block  #1 

Ciphertext  7649abac8119b246cee98e9bl2e9197d 
Input  Block  7 64 9abac8 1 1 9b24 6cee98e9bl2e91 97d 
Output  Block  6bc0bcel2a459991el34741a719el925 
Plaintext  6bclbee22e409196e93d7ell7393172a 
Block  #2 

Ciphertext  5086cb9b507219ee95dbll3a917678b2 
Input  Block  50 8 6cb9b5072 1 9ee95dbl 13a917 67 8b2 
Output  Block  d864211b911aleda505eel375746972c 
Plaintext  ae2d8a571e03ac9c9eb761ac45al8e51 
Block  #3 

Ciphertext  73bed6b8e3cl743b7116e69e22229516 
Input  Block  73bed6b8e3cl743b7116e69e22229516 
Output  Block  604ed7ddl32eldll7020d0238b7c2a5d 
Plaintext  30c81c46a35ce411e51bcll91a0a52el 
Block  #4 

Ciphertext  3111caal6811ac09120eca307586ela7 
Input  Block  3111caal6811ac09120eca307586ela7 
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Output  Block  8521f2fd3c8eef2cdc3da7e5c44ea206 
Plaintext  f 69f2445df 4f 9bl7ad2b417be66c3710 

F.2.3  CBC-AES1 92. Encrypt 

Key  8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b 

IV  0001020304050 607080 90a0b0c0d0e0f 

Block  #1 

Plaintext  6bclbee22e409f96e93d7ell7393172a 

Input  Block  6bc0bcel2a459991el34741a7f 9el925 

Output  Block  4f 021db243bc633d7178183a9fa071e8 

Ciphertext  4f021db243bc633d7178183a9fa071e8 

Block  #2 

Plaintext  ae2d8a571e03ac9c9eb76fac45af8e51 

Input  Block  el2f 97e55dbfcfalefcf7796da0fffb9 

Output  Block  b4d9ada9ad7dedf4e5e738763f 69145a 

Ciphertext  b4d9ada9ad7dedf 4e5e7387  63f69145a 

Block  #3 

Plaintext  30c81c46a35ce411e5fbcll91a0a52ef 

Input  Block  8411blef0e2109e5001cf 96f256346b5 

Output  Block  571b242012fb7ae07fa9baac3df 102e0 

Ciphertext  571b242012fb7ae07fa9baac3dfl02e0 

Block  #4 

Plaintext  f 69f2445df 4f 9bl7ad2b417be66c3710 

Input  Block  al840065cdb4elf7d282fbd7db9d35f 0 

Output  Block  08b0e27988598881d920a9e64f5615cd 

Ciphertext  08b0e27988598881d920a9e64f5615cd 

F.2.4  CBC-AES1 92. Decrypt 

Key  8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b 

IV  0001020304050 607080 90a0b0c0d0e0f 

Block  #1 

Ciphertext  4f021db243bc633d7178183a9fa071e8 

Input  Block  4f 021db243bc633d7178183a9fa071e8 

Output  Block  6bc0bcel2a459991el34741a7f 9el925 

Plaintext  6bclbee22e409f96e93d7ell7393172a 

Block  #2 

Ciphertext  b4d9ada9ad7dedf 4e5e7387  63f69145a 

Input  Block  b4d9ada9ad7dedf4e5e738763f 69145a 

Output  Block  el2f 97e55dbfcfalefcf7796da0fffb9 

Plaintext  ae2d8a571e03ac9c9eb76fac45af8e51 

Block  #3 

Ciphertext  571b242012fb7ae07fa9baac3dfl02e0 

Input  Block  571b242012fb7ae07fa9baac3df 102e0 

Output  Block  8411blef 0e2109e5001cf 96f256346b5 

Plaintext  30c81c46a35ce411e5fbcll91a0a52ef 

Block  #4 

Ciphertext  08b0e27988598881d920a9e64f5615cd 

Input  Block  08b0e27988598881d920a9e64f5615cd 

Output  Block  al840065cdb4elf7d282fbd7db9d35f 0 

Plaintext  f 69f2445df 4f 9bl7ad2b417be66c3710 

F.2.5  CBC-AES256.  Encrypt 

Key  603debl015ca71be2b73aef 0857d7781 
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IV 

Block  #1 
Plaintext 
Input  Block 
Output  Block 
Ciphertext 
Block  #2 
Plaintext 
Input  Block 
Output  Block 
Ciphertext 
Block  #3 
Plaintext 
Input  Block 
Output  Block 
Ciphertext 
Block  #4 
Plaintext 
Input  Block 
Output  Block 
Ciphertext 


If352c073b6108d72d9810a30914dff4 
0001020304050 607080 90a0b0c0d0e0f 

6bclbee22e409f96e93d7el 173 93172a 
6bc0bcel2a459991el34741a7f 9el925 
f58c4c04d6e5flba779eabfb5f7bfbd6 
f58c4c04d6e5flba779eabfb5f7bfbd6 


ae2d8a571e03ac9c9eb76fac45af8e51 

5balc653c8e65d26e929c4571ad47587 

9cfc4e967edb808d679f777bc6702c7d 

9cfc4e967edb808d679f777bc6702c7d 

30c81c46a35ce411e5fbcll91a0a52ef 
ac3452d0dd87649c8264b662dc7a7e92 
3 9f23369a9d9bacfa530e2 63042314 61 
3 9f23369a9d9bacfa530e2 63042314 61 

f 69f2445df4f 9bl7ad2b417be66c3710 
cf 6dl72c7 6962 ld8 08 Iba318e24f 2371 
b2eb05e2c39be9f cda6cl 9078c6a9dlb 
b2eb05e2c39be9f cda6cl 9078c6a9dlb 


F.2.6  CBC-AES256.  Decrypt 

Key  603debl015ca71be2b73aef 0857d7781 

If352c073b6108d72d9810a30914dff4 
IV  0001020304050 607080 90a0b0c0d0e0f 

Block  #1 


Ciphertext 
Input  Block 
Output  Block 
Plaintext 


f58c4c04d6e5flba779eabfb5f7bfbd6 
f58c4c04d6e5flba779eabfb5f7bfbd6 
6bc0bcel2a459991el34741a7f 9el925 
6bclbee22e409f96e93d7el 173 93172a 


Block  #2 
Ciphertext 
Input  Block 
Output  Block 
Plaintext 


9cfc4e967edb808d679f777bc6702c7d 

9cfc4e967edb808d679f777bc6702c7d 

5balc653c8e65d26e929c4571ad47587 

ae2d8a571e03ac9c9eb76fac45af8e51 


Block  #3 
Ciphertext 
Input  Block 
Output  Block 
Plaintext 


3 9f23369a9d9bacfa530e2 63042314 61 
3 9f23369a9d9bacfa530e2 63042314 61 
ac3452d0dd87649c8264b662dc7a7e92 
30c81c46a35ce411e5fbcll91a0a52ef 


Block  #4 
Ciphertext 
Input  Block 
Output  Block 
Plaintext 


b2eb05e2c39be9f cda6cl 9078c6a9dlb 
b2eb05e2c39be9f cda6cl 9078c6a9dlb 
cf 6dl72c7 6962 ld8 08 Iba318e24f 2371 
f 69f2445df4f 9bl7ad2b417be66c3710 


F.3  CFB  Example  Vectors 

F.  3. 1  CFB  1- AES  128.  Encrypt 

Key  2b7el51 628 aed2a6ab 1715880 9cf4f3c 

IV  0001020304050 607080 90a0b0c0d0e0f 
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Segment  #1 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #2 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #3 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #4 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #5 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #6 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #7 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #8 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #9 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #10 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #11 
Input  Block 
Output  Block 
Plaintext 


0001020304050 607080 90a0b0c0d0e0f 
50fe67cc996d32b6da0937e99bafec60 
0 
0 

00020406080a0c0el0121416181alcle 

19cf576c7596e702f298b35666955c79 

1 

1 

0004080cl014181c2024282c3 03438 3d 
59el7759acd02b801fa321ea059e331f 
1 
1 

0008101820283038404850586068707b 

71f415b0ccl09e8b0faal4ab740c22f4 

0 

0 

001020304050 607080 90a0b0c0d0e0f 6 
3fb76d3dl048179964597a0f 64d5adad 
1 
1 

0020406080a0c0el0121416181alcled 

4c943b4bac54ab974e3e52326d29aaal 

0 

0 

004080cl014181c2024282c3034383da 

c94da41eb3d3acfl993a512able8203f 

1 

0 

00810182028303840485058606870 7b4 
e07f5e98778f75dbb2691c3f582c3953 
1 
0 

01020304050 607080 90a0b0c0d0e0f 68 
02ef5fc8961efcce8568bc0731262dc7 
1 
1 

020406080a0c0el0121416181alcledl 

9f5a30367065efbe914b53698c8716b7 

1 

0 

04080cl014181c2024282c3034383da2 
d018cfb81d0580edbff 955ed74d382db 
0 
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1 


Ciphertext 
Segment  #12 

Input  Block  08101820283038404850586068707b45 

Output  Block  81272ab351e08e0b695b94b8164d86f4 

Plaintext  0 

Ciphertext  1 

Segment  #13 

Input  Block  102030405060708090a0b0c0d0e0f 68b 

Output  Block  094d33f 856483d3fa01ba94f7e5ab3e7 

Plaintext  0 

Ciphertext  0 

Segment  #14 

Input  Block  20406080a0c0el0121416181alcledl6 

Output  Block  609900ad61923c8cl02cd8d0d7947a2c 

Plaintext  0 

Ciphertext  0 

Segment  #15 

Input  Block  4080cl014181c2024282c3034383da2c 

Output  Block  9e5al54de966ab4db9c88b22a398134e 

Plaintext  0 

Ciphertext  1 

Segment  #16 

Input  Block  8101820283038404850586068707b459 

Output  Block  7fel6252b338bc4de3725c4156dfed20 

Plaintext  1 

Ciphertext  1 

F.3.2  CFB1 -AES  128.  Decrypt 

Key  2b7el51628aed2a6abf7158809cf4f3c 

IV  0001020304050 607080 90a0b0c0d0e0f 

Segment  #1 

Input  Block  000102030405060708090a0b0c0d0e0f 

Output  Block  50fe67cc996d32b6da0 937e99bafec60 

Ciphertext  0 

Plaintext  0 

Segment  #2 

Input  Block  00020406080a0c0el0121416181alcle 

Output  Block  1 9cf 57 6c75 96e7 02f 2 98b35 666955c7 9 

Ciphertext  1 

Plaintext  1 

Segment  #3 

Input  Block  0004080cl014181c2024282c3034383d 

Output  Block  59el7759acd02b801fa321ea059e331f 

Ciphertext  1 

Plaintext  1 

Segment  #4 

Input  Block  0008101820283038404850586068707b 

Output  Block  71f415b0ccl09e8b0faal4ab740c22f4 

Ciphertext  0 

Plaintext  0 

Segment  #5 

Input  Block  00102030405060708090a0b0c0d0e0f 6 

Output  Block  3fb7 6d3dl 04 8 17 99645 97a0f 64d5adad 
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Ciphertext 
Plaintext 
Segment  #6 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #7 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #8 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #9 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #10 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #11 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #12 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #13 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #14 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #15 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #16 
Input  Block 


1 

1 

0020406080a0c0el0121416181alcled 

4c943b4bac54ab974e3e52326d29aaal 

0 

0 

004080cl014181c2024282c3034383da 

C94da41eb3d3acfl993a512able8203f 

0 

1 

00810182028303840485058606870 7b4 
e07f5e98778f75dbb2691c3f582c3953 
0 
1 

01020304050 607080 90a0b0c0d0e0f 68 
02ef5fc8961efcce8568bc0731262dc7 
1 
1 

020406080a0c0el0121416181alcledl 

9f5a30367065efbe914b53698c8716b7 

0 

1 

04080cl014181c2024282c3034383da2 
d018cfb81d0580edbff 955ed74d382db 
1 
0 

0810182028303840485058 60 68707b45 
81272ab351e08e0b695b94b8164d86f4 
1 
0 

1020304050 607080 90a0b0c0d0e0f 68b 
094d33f856483d3fa01ba94f7e5ab3e7 
0 
0 

20406080a0c0el0121416181alcledl6 

609900ad61923c8cl02cd8d0d7947a2c 

0 

0 

4080cl014181c2024282c3034383da2c 

9e5al54de966ab4db9c88b22a398134e 

1 

0 

810182028303840485058 60 68707b459 
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Output  Block 

Ciphertext 

Plaintext 


7fel6252b338bc4de3725c4156dfed20 

1 

1 


F.3.3  CFB1-AES192.Encrypt 

Key  8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b 

IV  0001020304050 607080 90a0b0c0d0e0f 


Segment  #1 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #2 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #3 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #4 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #5 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #6 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #7 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #8 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #9 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #10 


0001020304050 607080 90a0b0c0d0e0f 
a609b38df3bll33dddff2718ba09565e 
0 
1 

00020406080a0c0el0121416181alclf 
a0e2bee6ebl7  34  37  9bd4  90  8be6a9  91a0 
1 
0 

0004080cl014181c2024282c3034383e 
blal7  6  6bedec7ee3ba9cd3f 34fbed4c6 
1 
0 

0008101820283038404850586068707c 

b294ae5f393ae0179e6d3d8c45a7a4b9 

0 

1 

001020304050 607080 90a0b0c0d0e0f 9 
f0f703ff5d0634aa8aee7fle26aafca3 
1 
0 

0020406080a0c0el0121416181alclf2 

4d67df426abdb8c89e7de9fb3069d8be 

0 

0 

004080cl014181c2024282c3034383e4 

30bc892338dfal0664118b9f4ba348d2 

1 

1 

008101820283038404850586068707C9 
7  63ad8c63ed7  8d6  64  52bb4  4c8bb7a8c8 
1 
1 

01020304050 607080 90a0b0c0d0e0f 93 
bfc36f5cfbcl306859b48f8fa62a43df 
1 
0 
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Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #11 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #12 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #13 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #14 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #15 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #16 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 


020406080a0c0el0121416181alclf26 
1 6e27adacll2a0bf 6a69c95cbdf 584a3 
1 
1 

04080cl014181c2024282c3034383e4d 
Ie9d21c3da3de91 8 6251 160 04575 6ce0 
0 
0 

08101820283038404850586068707c9a 
b836e0f 661b51d8bd38c448e0e5allbb 
0 
1 

1020304050 607080 90a0b0c0d0e0f 935 
c5ef cddO  9dbb92dlf aada8f 6c9bab0  52 
0 
1 

20406080a0c0el0121416181alclf26b 

7c99710018d88e40bd4ac8flb2bf4dbb 

0 

0 

4080cl014181c2024282c3034383e4d6 

173bcd8b4dad60ae6646813fdcb81f5b 

0 

0 

8101820283038404850586068707c9ac 

09844c6d2272dl48d5aflc7bf01bb439 

1 

1 


F.  3. 4  CFB 1 -AES  192.  Decrypt 

Key  8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b 

IV  0001020304050 607080 90a0b0c0d0e0f 


Segment  #I 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 


0001020304050 607080 90a0b0c0d0e0f 
a609b38df3bll33dddff2718ba09565e 
1 
0 


Segment  #2 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 


00020406080a0c0el0121416181alclf 
a0e2bee6ebl7  34  37  9bd4  90  8be6a9  91a0 
0 
1 


Segment  #3 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 


0004080cl014181c2024282c3034383e 
blal7  6  6bedec7ee3ba9cd3f 34fbed4c6 
0 
1 
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Segment  #4 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #5 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #6 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #7 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #8 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #9 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #10 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #11 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #12 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #13 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #14 
Input  Block 
Output  Block 
Ciphertext 


0008101820283038404850586068707c 

b294ae5f393ae0179e6d3d8c45a7a4b9 

1 

0 

001020304050 607080 90a0b0c0d0e0f 9 
f0f703ff5d0634aa8aee7fle26aafca3 
0 
1 

0020406080a0c0el0121416181alclf2 

4d67df426abdb8c89e7de9fb3069d8be 

0 

0 

004080cl014181c2024282c3034383e4 

30bc892338dfal0664118b9f4ba348d2 

1 

1 

008101820283038404850586068707C9 
7  63ad8c63ed7  8d6  64  52bb4  4c8bb7a8c8 
1 
1 

01020304050 607080 90a0b0c0d0e0f 93 
bfc36f5cfbcl306859b48f8fa62a43df 
0 
1 

020406080a0c0el0121416181alclf26 
1 6e27adacll2a0bf 6a69c95cbdf 584a3 
1 
1 

04080cl014181c2024282c3034383e4d 
Ie9d21c3da3de91 8 6251 160 04575 6ce0 
0 
0 

08101820283038404850586068707c9a 
b836e0f 661b51d8bd38c448e0e5allbb 
1 
0 

1020304050 607080 90a0b0c0d0e0f 935 
c5ef cddO  9dbb92dlf aada8f 6c9bab0  52 
1 
0 

20406080a0c0el0121416181alclf26b 

7c99710018d88e40bd4ac8flb2bf4dbb 

0 
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Plaintext 
Segment  #15 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #16 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 


0 

4080cl014181c2024282c3034383e4d6 

173bcd8b4dad60ae6646813fdcb81f5b 

0 

0 

8101820283038404850586068707c9ac 

09844c6d2272dl48d5aflc7bf01bb439 

1 

1 


F.3.5  CFB1-AES256. Encrypt 

Key  603debl015ca71be2b73aef 0857d7781 

If352c073b6108d72d9810a30914dff4 
IV  0001020304050 607080 90a0b0c0d0e0f 


Segment  #I 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #2 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #3 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #4 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #5 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #6 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #7 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #8 
Input  Block 


0001020304050 607080 90a0b0c0d0e0f 
b7bf3a5df43989dd97f0fa97ebce2f4a 
0 
1 

00020406080a0c0el0121416181alclf 

ee93d380e0f01117fffd78017599514a 

1 

0 

0004080cl014181c2024282c3034383e 
85774 98 98b3602aad91e699911de89b0 
1 
0 

0008101820283038404850586068707c 

dce81c80810e2ba343a6bb402716b7a8 

0 

1 

001020304050 607080 90a0b0c0d0e0f 9 
e5517bfcdccea00501350a601f754823 
1 
0 

0020406080a0c0el0121416181alclf2 
157 99c7f 4081a78cc41f 2 995534 9c5a0 
0 
0 

004080cl014181c2024282c3034383e4 
84d246bdb391f 6a7979ff5ccb8467262 
1 
0 

008101820283038404850586068707C8 
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Output  Block 
Plaintext 
Ciphertext 
Segment  #9 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #10 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #11 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #12 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #13 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #14 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #15 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #16 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 


bb9e05db9855a9e7e3837a648dd4c3b0 

1 

0 

01020304050 607080 90a0b0c0d0e0f 90 
a413c5714f70287dfcd943004bf7ac8e 
1 
0 

020406080a0c0el0121416181alclf20 
a7310abf87610d66edf 6c892a84460d5 
1 
0 

04080cl014181c2024282c3034383e40 

8aec6712d89bdl47c83b51d787bll399 

0 

1 

08101820283038404850586068707C81 
2ff05b620f 68134f4ba92deffbfc93b2 
0 
0 

1020304050 607080 90a0b0c0d0e0f 902 
819208afd5284316065a76bead028ad3 
0 
1 

20406080a0c0el0121416181alclf205 

1914ed64b2115167ce2ca4c813da5245 

0 

0 

4080cl014181c2024282c3034383e40a 
638abae8724a954ae9ele2ell 9deb6el 
0 
0 

8101820283038404850586068707c814 
2b4f488a3f 958c52a3fldb2da938360e 
1 
1 


F.  3. 6  CFB 1 -AES256.  Decrypt 

Key  603debl015ca71be2b73aef 0857d7781 

If352c073b6108d72d9810a30914dff4 
IV  0001020304050 607080 90a0b0c0d0e0f 


Segment  #I 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 


0001020304050 607080 90a0b0c0d0e0f 
b7bf3a5df43989dd97f0fa97ebce2f4a 
1 
0 
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Segment  #2 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #3 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #4 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #5 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #6 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #7 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #8 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #9 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #10 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #11 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #12 
Input  Block 
Output  Block 
Ciphertext 


00020406080a0c0el0121416181alclf 

ee93d380e0f01117fffd78017599514a 

0 

1 

0004080cl014181c2024282c3034383e 
85774 98 98b3602aad91e699911de89b0 
0 
1 

0008101820283038404850586068707c 

dce81c80810e2ba343a6bb402716b7a8 

1 

0 

001020304050 607080 90a0b0c0d0e0f 9 
e5517bfcdccea00501350a601f754823 
0 
1 

0020406080a0c0el0121416181alclf2 
157 99c7f 4081a78cc41f 2 995534 9c5a0 
0 
0 

004080cl014181c2024282c3034383e4 
84d246bdb391f 6a7979ff5ccb8467262 
0 
1 

008101820283038404850586068707C8 

bb9e05db9855a9e7e3837a648dd4c3b0 

0 

1 

01020304050 607080 90a0b0c0d0e0f 90 
a413c5714f70287dfcd943004bf7ac8e 
0 
1 

020406080a0c0el0121416181alclf20 
a7310abf87610d66edf 6c892a84460d5 
0 
1 

04080cl014181c2024282c3034383e40 

8aec6712d89bdl47c83b51d787bll399 

1 

0 

08101820283038404850586068707C81 
2ff05b620f 68134f4ba92deffbfc93b2 
0 
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0 


Plaintext 
Segment  #13 

Input  Block  102030405060708090a0b0c0d0e0f 902 

Output  Block  8 1 92 0 8af d52 8431 60 65a7 6bead02 8ad3 

Ciphertext  1 

Plaintext  0 

Segment  #14 

Input  Block  20406080a0c0el0121416181alclf205 

Output  Block  1914ed64b2115167ce2ca4c813da5245 

Ciphertext  0 

Plaintext  0 
Segment  #15 

Input  Block  4080cl014181c2024282c3034383e40a 

Output  Block  638abae8724a954ae9ele2ell9deb6el 

Ciphertext  0 

Plaintext  0 

Segment  #16 

Input  Block  8101820283038404850586068707c814 

Output  Block  2b4f 488a3f 958c52a3f Idb2da938360e 

Ciphertext  1 

Plaintext  1 

F.  3. 7  CFB8-AES 128.  Encrypt 

Key  2b7el51 628 aed2a6ab 1715880 9cf4f3c 

IV  0001020304050 607080 90a0b0c0d0e0f 

Segment  #I 

Input  Block  000102030405060708090a0b0c0d0e0f 

Output  Block  50fe67cc996d32b6da0 937e99bafec60 

Plaintext  6b 

Ciphertext  3b 

Segment  #2 

Input  Block  0102030405060708090a0b0c0d0e0f3b 

Output  Block  b8eb865a2b026381abbld6560ed20f 68 

Plaintext  cl 

Ciphertext  79 

Segment  #3 

Input  Block  02030405060708090a0b0c0d0e0f3b79 

Output  Block  fce6033b4edce64cbaed3f 61f f 5b927c 

Plaintext  be 

Ciphertext  42 

Segment  #4 

Input  Block  030405060708090a0b0c0d0e0f3b7942 

Output  Block  ae4e5e7f fe805f 7a4395bl80004f 8ca8 

Plaintext  e2 

Ciphertext  4c 

Segment  #5 

Input  Block  0405060708090a0b0c0d0e0f3b79424c 

Output  Block  b205eb89445b62116f Ideb988a81e6dd 

Plaintext  2e 

Ciphertext  9c 

Segment  #6 

Input  Block  05060708090a0b0c0d0e0f3b79424c9c 

Output  Block  4d21d456a5e239064fff4be0c0f 85488 
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Plaintext 
Ciphertext 
Segment  #7 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #8 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #9 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #10 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #11 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #12 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #13 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #14 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #15 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #16 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #17 
Input  Block 


40 

Od 

0 607080 90a0b0c0d0e0f3b79424c9c0d 
4b2f5c3895b9efdc85ee0c5178c7fd33 
9f 
d4 

07080 90a0b0c0d0e0f3b79424c9c0dd4 
a0976d856da260a34104dla80953db4c 
96 
36 

08090a0b0c0d0e0f3b79424c9c0dd436 
53674e5890a2c71b0f 6a27a094e5808c 
e9 
ba 

090a0b0c0d0e0f3b79424c9c0dd436ba 
f 34cd32f fed4  95f 8bc8adbal 94eccb7a 
3d 
ce 

OaObOcOdOeOf 3b7  942  4c9c0dd4  3  6bace 
e08cf2407d7ed676c9049586fld48ba6 
7e 
9e 

ObOcOdOeOf 3b7  942  4c9c0dd4  3  6bace9e 
If 5c8  8al 9b6ca2  8e9  9c9aeb8  982a6dd8 
11 
Oe 

OcOdOeOf 3b7  942  4c9c0dd4  3  6bace9e0e 
a70e63df781cf395a208bd2365c8779b 
73 
d4 

OdOeOf 3b7  942  4c9c0dd4  3  6bace9e0ed4 
cbcfe8b 3bcf9ac202ce 18420013319 ab 
93 
58 

OeOf 3b7  942  4c9c0dd4  3  6bace9e0ed4  5  8 
7d9fac6604b3c8c5blf8c5a00956cf56 
17 
6a 

Of 3b7  942  4c9c0dd4  3  6bace9e0ed4  5  8  6a 
65c3fa64bf0343986825c636f4alefd2 
2a 
4f 

3b7  942  4c9c0dd4  3  6bace9e0ed4  5  8  6a4f 
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Output  Block  9cf f 5e5f f 4f 554d56c924b9d6a6de21d 

Plaintext  ae 

Ciphertext  32 

Segment  #18 

Input  Block  79424c9c0dd436bace9e0ed4586a4f32 

Output  Block  946c3dcl584ccl8400ecd8c6052c44bl 

Plaintext  2d 

Ciphertext  b9 

F.3.8  CFB8-AES 128.  Decrypt 

Key  2b7el51628aed2a6abf7158809cf4f3c 

IV  0001020304050 607080 90a0b0c0d0e0f 

Segment  #I 

Input  Block  000102030405060708090a0b0c0d0e0f 

Output  Block  50fe67cc996d32b6da0 937e99bafec60 

Ciphertext  3b 

Plaintext  6b 

Segment  #2 

Input  Block  0102030405060708090a0b0c0d0e0f3b 

Output  Block  b8eb865a2b026381abbld6560ed20f 68 

Ciphertext  79 

Plaintext  cl 

Segment  #3 

Input  Block  02030405060708090a0b0c0d0e0f3b79 

Output  Block  fce6033b4edce64cbaed3f 61f f 5b927c 

Ciphertext  42 

Plaintext  be 

Segment  #4 

Input  Block  030405060708090a0b0c0d0e0f3b7942 

Output  Block  ae4e5e7f fe805f 7a4395bl80004f 8ca8 

Ciphertext  4c 

Plaintext  e2 

Segment  #5 

Input  Block  0405060708090a0b0c0d0e0f3b79424c 

Output  Block  b205eb89445b62116f Ideb988a81e6dd 

Ciphertext  9c 

Plaintext  2e 

Segment  #6 

Input  Block  05060708090a0b0c0d0e0f3b79424c9c 

Output  Block  4d21d456a5e239064fff4be0c0f 85488 

Ciphertext  Od 

Plaintext  40 

Segment  #7 

Input  Block  060708090a0b0c0d0e0f3b79424c9c0d 

Output  Block  4b2f5c3895b9efdc85ee0c5178c7fd33 

Ciphertext  d4 

Plaintext  9f 

Segment  #8 

Input  Block  0708090a0b0c0d0e0f3b79424c9c0dd4 

Output  Block  aO 97 6d85 6da2 60a34 1 04dla8 0 953db4c 

Ciphertext  36 

Plaintext  96 

Segment  #9 
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Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #10 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #11 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #12 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #13 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #14 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #15 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #16 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #17 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #18 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 


08090a0b0c0d0e0f3b79424c9c0dd436 
53674e5890a2c71b0f 6a27a094e5808c 
ba 
e9 

090a0b0c0d0e0f3b79424c9c0dd436ba 
f 34cd32f fed4  95f 8bc8adbal 94eccb7a 
ce 
3d 

OaObOcOdOeOf 3b7  942  4c9c0dd4  3  6bace 
e08cf2407d7ed676c9049586fld48ba6 
9e 
7e 

ObOcOdOeOf 3b7  942  4c9c0dd4  3  6bace9e 
If 5c8  8al 9b6ca2  8e9  9c9aeb8  982a6dd8 
Oe 
11 

OcOdOeOf 3b7  942  4c9c0dd4  3  6bace9e0e 
a70e63df781cf395a208bd2365c8779b 
d4 
73 

OdOeOf 3b7  942  4c9c0dd4  3  6bace9e0ed4 
cbcfe8b 3bcf9ac202ce 18420013319 ab 
58 
93 

OeOf 3b7  942  4c9c0dd4  3  6bace9e0ed4  5  8 
7d9fac6604b3c8c5blf8c5a00956cf56 
6a 
17 

Of 3b7  942  4c9c0dd4  3  6bace9e0ed4  5  8  6a 
65c3fa64bf0343986825c636f4alefd2 
4f 
2a 

3b7  942  4c9c0dd4  3  6bace9e0ed4  5  8  6a4f 
9cff5e5ff4f554d56c924b9d6a6de21d 
32 
ae 

79424c9c0dd436bace9e0ed4586a4f32 

946c3dcl584ccl8400ecd8c6052c44bl 

b9 

2d 


F.3.9  CFB8-AES192.Encrypt 

Key  8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b 
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IV 

Segment  #1 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #2 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #3 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #4 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #5 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #6 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #7 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #8 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #9 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #10 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #11 
Input  Block 
Output  Block 


0001020304050 607080 90a0b0c0d0e0f 

0001020304050 607080 90a0b0c0d0e0f 
a609b38df3bll33dddff2718ba09565e 
6b 
cd 

01020304050 607080 90a0b0c0d0e0fcd 
63c82e99e7289617c49e6851e082142a 
cl 
a2 

020304050 607080 90a0b0c0d0e0fcda2 
ec40a5497264bfb4d6820aaae73f75af 
be 
52 

0304050 607080 90a0b0c0d0e0fcda252 
fc011a96afe968c32bae6495173a9154 
e2 
le 

04050 607080 90a0b0c0d0e0fcda2521e 
de019e09ac995ba46a42916ef77d8fe5 
2e 
fO 

050 607080 90a0b0c0d0e0fcda2521ef0 
e980477efb7f896e07c4a2d527e7b537 
40 
a9 

0  607080  90a0b0c0d0e0fcda2521ef0a9 
9a9a77bll709b36e08e9321ae8ble539 
9f 
05 

07080  90a0b0c0d0e0fcda2521ef0a905 
5caldl92a780fbcal471el0588593c7c 
96 
ca 

080  90a0b0c0d0e0f cda2  521ef 0a90  5ca 
addb26efd21de4d002474c7748e0bcld 
e9 
44 

0  90a0b0c0d0e0f cda2  521ef 0a90  5ca4  4 
f0c410ad6512c5177a5ee40a60de01b8 
3d 
cd 

OaObOcOdOeOf cda2521ef 0a905ca44cd 
7bbf71f2b4f5cf 68f3c0clb9235dbd53 
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Plaintext 
Ciphertext 
Segment  #12 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #13 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #14 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #15 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #16 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #17 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #18 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 


7e 

05 

ObOcOdOeOf cda2521ef 0a905ca44cd05 
6dafb26e3c63b350811394b382el4d69 
11 
7c 

OcOdOeOf cda2521ef 0a905ca44cd057c 
ccd6e2  52  55a8  0e9bdbec9fbc2  6e5f ad6 
73 
bf 

OdOeOf cda2521ef 0a905ca44cd057cbf 
9e33550f 6d47bda77f4f3108181ab21c 
93 
Od 

OeOf cda2521ef 0a905ca44cd057cbf Od 
5  0b3eae2  9a6623fbef 6d72  6dbda675a8 
17 
47 

Of cda2521ef 0a905ca44cd057cbf 0d47 
8a2a57dlb9158539ef7ff42b33bf0a4a 
2a 
aO 

cda2521ef 0a905ca44cd057cbf 0d47a0 
C94e9102ac731d2fl27b657d810ef5a8 
ae 
67 

a2521ef0a905ca44cd057cbf0d47a067 

a765ed650568fbe386660def5f8d491d 

2d 

8a 


F.3.10  CFB8-AES192.Decrypt 

Key  8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b 

IV  0001020304050 607080 90a0b0c0d0e0f 


Segment  #I 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 


0001020304050 607080 90a0b0c0d0e0f 
a609b38df3bll33dddff2718ba09565e 
cd 
6b 


Segment  #2 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 


01020304050 607080 90a0b0c0d0e0fcd 
63c82e99e7289617c49e6851e082142a 
a2 
cl 


Segment  #3 

Input  Block  02030405060708090a0b0c0d0e0fcda2 
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Output  Block 
Ciphertext 
Plaintext 
Segment  #4 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #5 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #6 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #7 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #8 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #9 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #10 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #11 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #12 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #13 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #14 


ec40a5497264bfb4d6820aaae73f75af 

52 

be 

0304050 607080 90a0b0c0d0e0fcda252 
fc011a96afe968c32bae6495173a9154 
le 
e2 

04050 607080 90a0b0c0d0e0fcda2521e 
de019e09ac995ba46a42916ef77d8fe5 
fO 
2e 

050 607080 90a0b0c0d0e0fcda2521ef0 
e980477efb7f896e07c4a2d527e7b537 
a9 
40 

0  607080  90a0b0c0d0e0fcda2521ef0a9 
9a9a77bll709b36e08e9321ae8ble539 
05 
9f 

07080  90a0b0c0d0e0fcda2521ef0a905 
5caldl92a780fbcal471el0588593c7c 
ca 
96 

080  90a0b0c0d0e0f cda2  521ef 0a90  5ca 
addb26efd21de4d002474c7748e0bcld 
44 
e9 

0  90a0b0c0d0e0f cda2  521ef 0a90  5ca4  4 
f0c410ad6512c5177a5ee40a60de01b8 
cd 
3d 

OaObOcOdOeOf cda2521ef 0a905ca44cd 
7bbf71f2b4f5cf 68f3c0clb9235dbd53 
05 
le 

ObOcOdOeOf cda2521ef 0a905ca44cd05 
6dafb26e3c63b350811394b382el4d69 
Ic 
11 

OcOdOeOf cda2521ef 0a905ca44cd057c 
ccd6e2  52  55a8  0e9bdbec9fbc2  6e5f ad6 
bf 
73 
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Input  Block  0d0e0fcda2521ef 0a905ca44cd057cbf 

Output  Block  9e33550f 6d47bda77f 4f 3108181ab21c 

Ciphertext  Od 

Plaintext  93 

Segment  #15 

Input  Block  0e0fcda2521ef 0a905ca44cd057cbf Od 

Output  Block  50b3eae29a6623fbef 6d726dbda675a8 

Ciphertext  47 

Plaintext  17 

Segment  #16 

Input  Block  0fcda2521ef 0a905ca44cd057cbf 0d47 

Output  Block  8a2a57dlb9158539ef 7f f 42b33bf 0a4a 

Ciphertext  aO 

Plaintext  2a 

Segment  #17 

Input  Block  cda2521ef 0a905ca44cd057cbf 0d47a0 

Output  Block  c94e9102ac731d2f 127b657d810ef 5a8 

Ciphertext  67 

Plaintext  ae 

Segment  #18 

Input  Block  a2521ef 0a905ca44cd057cbf 0d47a067 

Output  Block  a7 65ed6505 68fbe38 6660def 5f 8d4 91d 

Ciphertext  8a 

Plaintext  2d 


F.3.11  CFB8-AES256.  Encrypt 

Key  603debl015ca71be2b73aef 0857d7781 

If352c073b6108d72d9810a30914dff4 
IV  0001020304050 607080 90a0b0c0d0e0f 

Segment  #I 

Input  Block  000102030405060708090a0b0c0d0e0f 

Output  Block  b7bf3a5df43989dd97f 0fa97ebce2f4a 

Plaintext  6b 

Ciphertext  dc 

Segment  #2 

Input  Block  0102030405060708090a0b0c0d0e0fdc 

Output  Block  ded5faadbl068af80e774684b9f 84870 

Plaintext  cl 

Ciphertext  If 

Segment  #3 

Input  Block  02030405060708090a0b0c0d0e0fdclf 

Output  Block  a41e327e5273366ce9403cdbdb92clcc 

Plaintext  be 

Ciphertext  la 

Segment  #4 

Input  Block  030405060708090a0b0c0d0e0fdclf la 

Output  Block  67938ae7d34df4ec2c0aec33eb98318f 

Plaintext  e2 

Ciphertext  85 

Segment  #5 

Input  Block  0405060708090a0b0c0d0e0fdclf la85 

Output  Block  0e8f2e31efff 615d3c93946609808c37 

Plaintext  2e 
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Ciphertext 
Segment  #6 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #7 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #8 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #9 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #10 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #11 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #12 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #13 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #14 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #15 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #16 
Input  Block 
Output  Block 


20 

050 607080 90a0b0c0d0e0fdclfla8520 
e648bb37a95c94c72784162a79dfe306 
40 
a6 

0 607080 90a0b0c0d0e0fdclfla8520a6 
d278f 31472 90fc5dd0b7d2e82764alfd 
9f 
4d 

07080 90a0b0c0d0e0fdclfla8520a64d 
2388d255a3e8a8059675e3a7del9dceb 
96 
b5 

08090a0b0c0d0e0fdclfla8520a64db5 
b6b8008f 6c6dc2d6144641ed2023f0f5 
e9 
5f 

090a0b0c0d0e0fdclfla8520a64db55f 
fl8f88a7aa3e3a6167dd93fbl 1377 13a 
3d 
cc 

0a0b0c0d0e0fdclfla8520a64db55fcc 

f46c5e67bff7c070b26c0318c52d0ccd 

7e 

8a 

0b0c0d0e0fdclfla8520a64db55fcc8a 
d4dceae622f8f21d27375d8c2c5f 9fba 
11 
c5 

0c0d0e0fdclfla8520a64db55fcc8ac5 
27e9e0d0a0167  0  9cd3ae0b5a9a2  42e31 
73 
54 

0d0e0fdclfla8520a64db55fcc8ac554 
17f 69d50ce64ba0d085de70b9030bbb2 
93 
84 

0e0fdclfla8520a64db55fcc8ac55484 
5 91 06ee400dl8el 04337 66962 8c33cdd 
17 
4e 

0fdclfla8520a64db55fcc8ac554844e 

a29c6ac87e2245ec0796772clf5312a8 
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2a 


Plaintext 
Ciphertext  88 

Segment  #17 

Input  Block  dclf Ia8520a64db55fcc8ac554844e88 

Output  Block  397b98fa2ec0ff 8cc0cd821909551c9e 

Plaintext  ae 

Ciphertext  97 

Segment  #18 

Input  Block  If Ia8520a64db55fcc8ac554844e8897 

Output  Block  2d2d6fe9aef 72f 7b914b623a9c7abd54 

Plaintext  2d 

Ciphertext  00 

F.  3. 12  CFB8-AES256.  Decrypt 

Key  603debl015ca71be2b73aef 0857d7781 

If352c073b6108d72d9810a30914dff4 
IV  0001020304050 607080 90a0b0c0d0e0f 

Segment  #I 

Input  Block  000102030405060708090a0b0c0d0e0f 

Output  Block  b7bf3a5df43989dd97f 0fa97ebce2f4a 

Ciphertext  dc 

Plaintext  6b 

Segment  #2 

Input  Block  0102030405060708090a0b0c0d0e0fdc 

Output  Block  ded5faadbl068af80e774684b9f 84870 

Ciphertext  If 

Plaintext  cl 

Segment  #3 

Input  Block  02030405060708090a0b0c0d0e0fdclf 

Output  Block  a41e327e5273366ce9403cdbdb92clcc 

Ciphertext  la 

Plaintext  be 

Segment  #4 

Input  Block  030405060708090a0b0c0d0e0fdclf la 

Output  Block  67938ae7d34df4ec2c0aec33eb98318f 

Ciphertext  85 

Plaintext  e2 

Segment  #5 

Input  Block  0405060708090a0b0c0d0e0fdclf la85 

Output  Block  0e8f2e31efff 615d3c93946609808c37 

Ciphertext  20 

Plaintext  2e 

Segment  #6 

Input  Block  05060708090a0b0c0d0e0fdclf la8520 

Output  Block  e648bb37a95c94c72784162a79dfe306 

Ciphertext  a6 

Plaintext  40 

Segment  #7 

Input  Block  060708090a0b0c0d0e0fdclf Ia8520a6 

Output  Block  d27 8f 31472 90f c5dd0b7d2e827 64alfd 

Ciphertext  4d 

Plaintext  9f 

Segment  #8 
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Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #9 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #10 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #11 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #12 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #13 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #14 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #15 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #16 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #17 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Segment  #18 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 


07080 90a0b0c0d0e0fdclfla8520a64d 
2388d255a3e8a8059675e3a7del9dceb 
b5 
96 

08090a0b0c0d0e0fdclfla8520a64db5 
b6b8008f 6c6dc2d6144641ed2023f0f5 
5f 
e9 

090a0b0c0d0e0fdclfla8520a64db55f 
fl8f88a7aa3e3a6167dd93fbl 1377 13a 
cc 
3d 

0a0b0c0d0e0fdclfla8520a64db55fcc 

f46c5e67bff7c070b26c0318c52d0ccd 

8a 

7e 

0b0c0d0e0fdclfla8520a64db55fcc8a 
d4dceae622f8f21d27375d8c2c5f 9fba 
c5 
11 

0c0d0e0fdclfla8520a64db55fcc8ac5 
27e9e0d0a0167  0  9cd3ae0b5a9a2  42e31 
54 
73 

0d0e0fdclfla8520a64db55fcc8ac554 
17f 69d50ce64ba0d085de70b9030bbb2 
84 
93 

0e0fdclfla8520a64db55fcc8ac55484 
5 91 06ee400dl8el 04337 66962 8c33cdd 
4e 
17 

0fdclfla8520a64db55fcc8ac554844e 

a29c6ac87e2245ec0796772clf5312a8 


2a 

dclfla8520a64db55fcc8ac554844e88 

397b98fa2ec0ff8cc0cd821909551c9e 

97 

ae 

Ifla8520a64db55fcc8ac554844e8897 

2d2d6fe9aef72f7b914b623a9c7abd54 

00 

2d 
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F.3.13  CFB 128-AES 128.  Encrypt 

Key  2b7el51628aed2a6abf7158809cf4f3c 
IV  0001020304050 607080 90a0b0c0d0e0f 
Segment  #1 

Input  Block  000102030405060708090a0b0c0d0e0f 
Output  Block  50fe67cc996d32b6da0 937e99bafec60 
Plaintext  6bclbee22e409f96e93d7ell7393172a 
Ciphertext  3b3fd92eb72dad2  0  3334  4  9f 8e8  3cfb4a 
Segment  #2 

Input  Block  3b3fd92eb72dad20333449f 8e83cfb4a 
Output  Block  668bcf 60beb005a35354a201dab36bda 
Plaintext  ae2d8a571e03ac9c9eb76fac45af8e51 
Ciphertext  c8a64537a0b3a93f cde3cdad9f lce58b 
Segment  #3 

Input  Block  c8a64537a0b3a93f cde3cdad9f lce58b 
Output  Block  16bd032100975551547b4de89daea630 
Plaintext  30c81c46a35ce411e5fbcll91a0a52ef 
Ciphertext  26751f 67a3cbbl40bl808cf 187a4f 4df 
Segment  #4 

Input  Block  26751f 67a3cbbl40bl808cfl87a4f4df 
Output  Block  36d42170a312871947ef8714799bc5f 6 
Plaintext  f 69f2445df 4f 9bl7ad2b417be66c3710 
Ciphertext  c04b05357c5dlc0eeac4c66f9ff7f2e6 

F.  3. 14  CFB  128-AES  128.  Decrypt 

Key  2b7el51628aed2a6abf7158809cf4f3c 
IV  0001020304050 607080 90a0b0c0d0e0f 
Segment  #1 

Input  Block  000102030405060708090a0b0c0d0e0f 
Output  Block  50fe67cc996d32b6da0 937e99bafec60 
Ciphertext  3b3fd92eb72dad2  0  3334  4  9f 8e8  3cfb4a 
Plaintext  6bclbee22e409f96e93d7ell7393172a 
Segment  #2 

Input  Block  3b3fd92eb72dad20333449f 8e83cfb4a 
Output  Block  668bcf 60beb005a35354a201dab36bda 
Ciphertext  c8a64537a0b3a93f cde3cdad9f lce58b 
Plaintext  ae2d8a571e03ac9c9eb76fac45af8e51 
Segment  #3 

Input  Block  c8a64537a0b3a93f cde3cdad9f lce58b 
Output  Block  16bd032100975551547b4de89daea630 
Ciphertext  26751f 67a3cbbl40bl808cf 187a4f 4df 
Plaintext  30c81c46a35ce411e5fbcll91a0a52ef 
Segment  #4 

Input  Block  26751f 67a3cbbl40bl808cfl87a4f4df 
Output  Block  36d42170a312871947ef8714799bc5f 6 
Ciphertext  c04b05357c5dlc0eeac4c66f9ff7f2e6 
Plaintext  f 69f2445df 4f 9bl7ad2b417be66c3710 


F.3.15  CFB128-AES192.Encrypt 

Key  8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b 

IV  0001020304050 607080 90a0b0c0d0e0f 

Segment  #1 
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Input  Block  000102030405060708090a0b0c0d0e0f 

Output  Block  a609b38df3bll33dddff2718ba09565e 

Plaintext  6bclbee22e409f96e93d7ell7393172a 

Ciphertext  cdc8  0d6f ddf 1 8cab34c25  90  9c99a4 174 

Segment  #2 

Input  Block  cdc80d6fddf 18cab34c25909c99a4174 

Output  Block  c9e3f5289f 149abd08ad44dc52b2b32b 

Plaintext  ae2d8a571e03ac9c9eb76fac45af8e51 

Ciphertext  67ce7f7f 81173621961a2b70171d3d7a 

Segment  #3 

Input  Block  67ce7f7f81173621961a2b70171d3d7a 

Output  Block  Ied6965b7 6c7 6ca02dldcef 4 04f 0 962 6 

Plaintext  30c81c46a35ce411e5fbcll91a0a52ef 

Ciphertext  2ele8aldd5  9b8  8blc8e60fedlefac4c9 

Segment  #4 

Input  Block  2ele8aldd59b88blc8e60fedlefac4c9 

Output  Block  36c0bbd976ccd4b7ef 85ceclbe273eef 

Plaintext  f 69f2445df 4f 9bl7ad2b417be66c3710 

Ciphertext  C05f9f9ca9834fa042ae8fba584b09ff 

F.3.16  CFB128-AES 192.  Decrypt 

Key  8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b 

IV  0001020304050 607080 90a0b0c0d0e0f 

Segment  #I 

Input  Block  000102030405060708090a0b0c0d0e0f 

Output  Block  a609b38df3bll33dddff2718ba09565e 

Ciphertext  cdc8  0d6f ddf 1 8cab34c25  90  9c99a4 174 

Plaintext  6bclbee22e409f96e93d7ell7393172a 

Segment  #2 

Input  Block  cdc80d6fddf 18cab34c25909c99a4174 

Output  Block  c9e3f5289f 149abd08ad44dc52b2b32b 

Ciphertext  67ce7f7f 81173621961a2b70171d3d7a 

Plaintext  ae2d8a571e03ac9c9eb76fac45af8e51 

Segment  #3 

Input  Block  67ce7f7f81173621961a2b70171d3d7a 

Output  Block  Ied6965b7 6c7 6ca02dldcef 4 04f 0 962 6 

Ciphertext  2ele8aldd5  9b8  8blc8e60fedlefac4c9 

Plaintext  30c81c46a35ce411e5fbcll91a0a52ef 

Segment  #4 

Input  Block  2ele8aldd59b88blc8e60fedlefac4c9 

Output  Block  36c0bbd976ccd4b7ef 85ceclbe273eef 

Ciphertext  C05f9f9ca9834fa042ae8fba584b09ff 

Plaintext  f 69f2445df 4f 9bl7ad2b417be66c3710 


F.3.17  CFB 128-AES256.  Encrypt 

Key  603debl015ca71be2b73aef 0857d7781 

If352c073b6108d72d9810a30914dff4 
IV  0001020304050 607080 90a0b0c0d0e0f 
Segment  #I 

Input  Block  000102030405060708090a0b0c0d0e0f 
Output  Block  b7bf3a5df43989dd97f 0fa97ebce2f4a 
Plaintext  6bclbee22e409f96e93d7ell7393172a 
Ciphertext  dc7e84bfda79164b7ecd8486985d3860 
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Segment  #2 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #3 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Segment  #4 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 


dc7e84bfda79164b7ecd8486985d3860 

97d26743252bld54aca653cf744ace2a 

ae2d8a571e03ac9c9eb76fac45af8e51 

39ffedl43b28blc832113c6331e5407b 

39ffedl43b28blc832113c6331e5407b 
efd80f 62b6b9af8344c511bl3c70b016 
30c81c46a35ce411e5fbcll91a0a52ef 
dfl0132415e54b92al3ed0a8267ae2f 9 

dfl0132415e54b92al3ed0a8267ae2f 9 
833cal31c5f 655ef8dla2346b3ddd361 
f 69f2445df4f 9bl7ad2b417be66c3710 
75a385741ab9cef82031623d55ble471 


F.3.18  CFB 128-AES256.  Decrypt 

Key  603debl015ca71be2b73aef 0857d7781 

If352c073b6108d72d9810a30914dff4 
IV  0001020304050 607080 90a0b0c0d0e0f 


Segment  #I 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 


0001020304050 607080 90a0b0c0d0e0f 
b7bf3a5df43989dd97f0fa97ebce2f4a 
dc7e84bfda79164b7ecd8486985d3860 
6bclbee22e409f96e93d7el 173 93172a 


Segment  #2 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 


dc7e84bfda79164b7ecd8486985d3860 

97d26743252bld54aca653cf744ace2a 

39ffedl43b28blc832113c6331e5407b 

ae2d8a571e03ac9c9eb76fac45af8e51 


Segment  #3 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 


39ffedl43b28blc832113c6331e5407b 
efd80f 62b6b9af8344c511bl3c70b016 
dfl0132415e54b92al3ed0a8267ae2f 9 
30c81c46a35ce411e5fbcll91a0a52ef 


Segment  #4 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 


dfl0132415e54b92al3ed0a8267ae2f 9 
833cal31c5f 655ef8dla2346b3ddd361 
75a385741ab9cef82031623d55ble471 
f 69f2445df4f 9bl7ad2b417be66c3710 


F.4  OFB  Example  Vectors 


F.  4. 1  OFB- AES  128.  Encrypt 

Key  2b7el51628aed2a6abf7158809cf4f3c 

IV  0001020304050 607080 90a0b0c0d0e0f 


Block  #1 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Block  #2 
Input  Block 


0001020304050 607080 90a0b0c0d0e0f 
50fe67cc996d32b6da0937e99bafec60 
6bclbee22e409f96e93d7el 173 93172a 
3b3fd92eb72dad20333449f8e83cfb4a 

50fe67cc996d32b6da0937e99bafec60 
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Output  Block 
Plaintext 
Ciphertext 
Block  #3 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Block  #4 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 


d9a4dada0892239f 6b8b3d7680el5674 
ae2d8a571e03ac9c9eb76fac45af8e51 
7789508dl6918f03f53c52dac54ed825 

d9a4dada0892239f 6b8b3d7680el5674 
a78819583f0308e7a6bf36bl386abf23 
30c81c46a35ce411e5fbcll91a0a52ef 
9740051e9c5fecf 64344f7a82260edcc 

a78819583f0308e7a6bf36bl386abf23 
C6d3416d29165c6fcb8e51a227ba994e 
f 69f2445df4f 9bl7ad2b417be66c3710 
304c6528f 659c77866a510d9cld6ae5e 


F.4.2  OFB-AES 128.  Decrypt 

Key  2b7el51628aed2a6abf7158809cf4f3c 

IV  0001020304050 607080 90a0b0c0d0e0f 


Block  #1 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 


0001020304050 607080 90a0b0c0d0e0f 
50fe67cc996d32b6da0937e99bafec60 
3b3fd92eb72dad20333449f8e83cfb4a 
6bclbee22e409f96e93d7el 173 93172a 


Block  #2 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 


50fe67cc996d32b6da0937e99bafec60 
d9a4dada0892239f 6b8b3d7680el5674 
7789508dl6918f03f53c52dac54ed825 
ae2d8a571e03ac9c9eb76fac45af8e51 


Block  #3 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 


d9a4dada0892239f 6b8b3d7680el5674 
a78819583f0308e7a6bf36bl386abf23 
9740051e9c5fecf 64344f7a82260edcc 
30c81c46a35ce411e5fbcll91a0a52ef 


Block  #4 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 


a78819583f0308e7a6bf36bl386abf23 
C6d3416d29165c6fcb8e51a227ba994e 
304c6528f 659c77866a510d9cld6ae5e 
f 69f2445df4f 9bl7ad2b417be66c3710 


F.4.3  OFB-AES192.Encrypt 

Key  8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b 

IV  0001020304050 607080 90a0b0c0d0e0f 


Block  #1 
Input  Block 
Output  Block 
Plaintext 
Ciphertext 
Block  #2 
Input  Block 
Output  Block 
Plaintext 


0001020304050 607080 90a0b0c0d0e0f 
a609b38df3bll33dddff2718ba09565e 
6bclbee22e409f96e93d7el 173 93172a 
Cdc80d6fddfl8cab34c25909c99a4174 

a609b38df3bll33dddff2718ba09565e 

52ef01da52602fe0975f78ac84bf8a50 

ae2d8a571e03ac9c9eb76fac45af8e51 


Ciphertext  fcc28b8d4c63837c09e81700cll00401 

Block  #3 

Input  Block  52ef 01da52602fe0975f78ac84bf 8a50 
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Output  Block  bd5286ac63aabd7eb067ac54b553f71d 

Plaintext  30c81c46a35ce411e5fbcll91a0a52ef 

Ciphertext  8d9a9aeac0f6596f559c6d4daf59a5f2 

Block  #4 

Input  Block  bd5286ac63aabd7eb067ac54b553f71d 

Output  Block  9b00044d8885f729318713303fc0fe3a 

Plaintext  f 69f2445df 4f 9bl7ad2b417be66c3710 

Ciphertext  6d9f 2  0  0  8  57ca6c3e9cac52  4bd9acc92a 

F.4.4  OFB-AES 192.  Decrypt 

Key  8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b 

IV  0001020304050 607080 90a0b0c0d0e0f 

Block  #1 

Input  Block  000102030405060708090a0b0c0d0e0f 

Output  Block  a609b38df3bll33dddff2718ba09565e 

Ciphertext  cdc8  0d6f ddf 1 8cab34c25  90  9c99a4 174 

Plaintext  6bclbee22e409f96e93d7ell7393172a 

Block  #2 

Input  Block  a609b38df3bll33dddff2718ba09565e 

Output  Block  52ef 01da52602fe0975f78ac84bf 8a50 

Ciphertext  fcc28b8d4c63837c09e81700cll00401 

Plaintext  ae2d8a571e03ac9c9eb76fac45af8e51 

Block  #3 

Input  Block  52ef 01da52602fe0975f78ac84bf 8a50 

Output  Block  bd5286ac63aabd7eb067ac54b553f71d 

Ciphertext  8d9a9aeac0f6596f559c6d4daf59a5f2 

Plaintext  30c81c46a35ce411e5fbcll91a0a52ef 

Block  #4 

Input  Block  bd5286ac63aabd7eb067ac54b553f71d 

Output  Block  9b00044d8885f729318713303fc0fe3a 

Ciphertext  6d9f 2  0  0  8  57ca6c3e9cac52  4bd9acc92a 

Plaintext  f 69f2445df 4f 9bl7ad2b417be66c3710 

F.4.5  OFB-AES256.  Encrypt 

Key  603debl015ca71be2b73aef 0857d7781 

If352c073b6108d72d9810a30914dff4 
IV  0001020304050 607080 90a0b0c0d0e0f 

Block  #1 

Input  Block  000102030405060708090a0b0c0d0e0f 

Output  Block  b7bf3a5df43989dd97f 0fa97ebce2f4a 

Plaintext  6bclbee22e409f96e93d7ell7393172a 

Ciphertext  dc7e84bfda79164b7ecd8486985d3860 

Block  #2 

Input  Block  b7bf3a5df43989dd97f 0fa97ebce2f4a 

Output  Block  elc656305edla7a6563805746fe03edc 

Plaintext  ae2d8a571e03ac9c9eb76fac45af8e51 

Ciphertext  4f ebdc67  4  0d2  0b3ac8  8f6ad82a4fb0  8d 

Block  #3 

Input  Block  elc656305edla7a6563805746fe03edc 

Output  Block  41635be625b48afcl666dd42a09d96e7 

Plaintext  30c81c46a35ce411e5fbcll91a0a52ef 

Ciphertext  71ab47a08  6e8  6eedf 3  9dlc5bba97c4  0  8 

Block  #4 
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Input  Block  41635be625b48afcl666dd42a09d96e7 
Output  Block  f 7b93058b8bce0f f fea41bf 0012cd394 
Plaintext  f 69f2445df 4f 9bl7ad2b417be66c3710 
Ciphertext  0126141d67f37be8538f5a8be740e484 

F.4.6  OFB-AES256.  Decrypt 

Key  603debl015ca71be2b73aef 0857d7781 

If352c073b6108d72d9810a30914dff4 
IV  0001020304050 607080 90a0b0c0d0e0f 
Block  #1 

Input  Block  000102030405060708090a0b0c0d0e0f 
Output  Block  b7bf3a5df43989dd97f 0fa97ebce2f4a 
Ciphertext  dc7e84bfda79164b7ecd8486985d3860 
Plaintext  6bclbee22e409f96e93d7ell7393172a 
Block  #2 

Input  Block  b7bf3a5df43989dd97f 0fa97ebce2f4a 
Output  Block  elc656305edla7a6563805746fe03edc 
Ciphertext  4f ebdc67  4  0d2  0b3ac8  8f6ad82a4fb0  8d 
Plaintext  ae2d8a571e03ac9c9eb76fac45af8e51 
Block  #3 

Input  Block  elc656305edla7a6563805746fe03edc 
Output  Block  41635be625b48afcl666dd42a09d96e7 
Ciphertext  71ab47a08  6e8  6eedf 3  9dlc5bba97c4  0  8 
Plaintext  30c81c46a35ce411e5fbcll91a0a52ef 
Block  #4 

Input  Block  41635be625b48afcl666dd42a09d96e7 
Output  Block  f 7b93058b8bce0f f fea41bf 0012cd394 
Ciphertext  0126141d67f37be8538f5a8be740e484 
Plaintext  f 69f2445df 4f 9bl7ad2b417be66c3710 

F.5  CTR  Example  Vectors 

F.5.1  CTR-AES1 28. Encrypt 

Key  2b7el51628aed2a6abf7158809cf4f3c 
Init.  Counter  f Of If 2f 3f 4f 5f 6f 7f 8f 9f afbf cfdfef f 
Block  #1 

Input  Block  f0flf2f3f4f5f 6f7f8f 9fafbfcfdfeff 
Output  Block  ec8cdf7398607cb0f2d21675ea9eale4 
Plaintext  6bclbee22e409f96e93d7ell7393172a 
Ciphertext  874d6191b620e3261bef6864990db6ce 
Block  #2 

Input  Block  f0flf2f3f4f5f 6f7f8f 9fafbfcfdff00 
Output  Block  362b7c3c6773516318a077d7fc5073ae 
Plaintext  ae2d8a571e03ac9c9eb76fac45af8e51 
Ciphertext  9806f 66b7970fdff 8617187bb9fffdff 
Block  #3 

Input  Block  f0flf2f3f4f5f 6f7f8f 9fafbfcfdff01 
Output  Block  6a2cc3787889374fbeb4c81bl7ba6c44 
Plaintext  30c81c46a35ce411e5fbcll91a0a52ef 
Ciphertext  5ae4df 3edbd5d35e5b4f 0  902  0db0  3eab 
Block  #4 

Input  Block  f0flf2f3f4f5f 6f7f8f 9fafbfcfdff02 
Output  Block  e89c399ff Of 198c6d40a31dbl56cabfe 
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Plaintext  f 69f2445df 4f 9bl7ad2b417be66c3710 
Ciphertext  Ie031dda2fbe03dl7  9217 OaOf 30  0  9cee 

F.5.2  CTR-AES1 28. Decrypt 

Key  2b7el51628aed2a6abf7158809cf4f3c 
Init.  Counter  f Of If 2f 3f 4f 5f 6f 7f 8f 9f afbf cfdfef f 
Block  #1 

Input  Block  f0flf2f3f4f5f 6f7f8f 9fafbfcfdfeff 
Output  Block  ec8cdf7398607cb0f2d21675ea9eale4 
Ciphertext  874d6191b620e3261bef6864990db6ce 
Plaintext  6bclbee22e409f96e93d7ell7393172a 
Block  #2 

Input  Block  f0flf2f3f4f5f 6f7f8f 9fafbfcfdff00 
Output  Block  362b7c3c6773516318a077d7fc5073ae 
Ciphertext  9806f 66b7970fdff 8617187bb9fffdff 
Plaintext  ae2d8a571e03ac9c9eb76fac45af8e51 
Block  #3 

Input  Block  f0flf2f3f4f5f 6f7f8f 9fafbfcfdff01 
Output  Block  6a2cc3787889374fbeb4c81bl7ba6c44 
Ciphertext  5ae4df 3edbd5d35e5b4f 0  902  0db0  3eab 
Plaintext  30c81c46a35ce411e5fbcll91a0a52ef 
Block  #4 

Input  Block  f0flf2f3f4f5f 6f7f8f 9fafbfcfdff02 
Output  Block  e89c399ff Of 198c6d40a31dbl56cabfe 
Ciphertext  Ie031dda2fbe03dl7  9217 OaOf 30  0  9cee 
Plaintext  f 69f2445df 4f 9bl7ad2b417be66c3710 


F.5.3  CTR-AES192.Encrypt 

Key  8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b 

Init.  Counter  f Of If 2f3f4f5f6f 7f8f9f afbf cfdfef f 

Block  #1 

Input  Block  f0flf2f3f4f5f 6f7f8f 9fafbfcfdfeff 

Output  Block  717d2dc639128334a6167a488ded7921 

Plaintext  6bclbee22e409f96e93d7ell7393172a 

Ciphertext  Iabc932417521ca24f2b0459fe7e6e0b 

Block  #2 

Input  Block  f0flf2f3f4f5f 6f7f8f 9fafbfcfdff00 

Output  Block  a72eb3bbl4a556734b7bad6abl6100c5 

Plaintext  ae2d8a571e03ac9c9eb76fac45af8e51 

Ciphertext  090339ec0aa6faefd5ccc2c6f4ce8e94 

Block  #3 

Input  Block  f0flf2f3f4f5f 6f7f8f 9fafbfcfdff01 

Output  Block  2efeae2d72b722613446dc7f4c2af 918 

Plaintext  30c81c46a35ce411e5fbcll91a0a52ef 

Ciphertext  le3  6b2  6bdlebc67  0dlbdld6  65  62  Oabf 7 

Block  #4 

Input  Block  f0flf2f3f4f5f 6f7f8f 9fafbfcfdff02 

Output  Block  b9e783b30dd7924ff7bc9b97beaa8740 

Plaintext  f 69f2445df 4f 9bl7ad2b417be66c3710 

Ciphertext  4f 7  8a7f 6d2  98  0  9585a97daec58c6b050 
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F.5.4  CTR-AES192.Decrypt 

Key  8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b 

Init.  Counter  f Of If 2f 3f 4f 5f 6f 7f 8f 9f afbf cfdfef f 

Block  #1 

Input  Block  f0flf2f3f4f5f 6f7f8f 9fafbfcfdfeff 

Output  Block  717d2dc639128334a6167a488ded7921 

Ciphertext  Iabc932417521ca24f2b0459fe7e6e0b 

Plaintext  6bclbee22e409f96e93d7ell7393172a 

Block  #2 

Input  Block  f0flf2f3f4f5f 6f7f8f 9fafbfcfdff00 

Output  Block  a72eb3bbl4a556734b7bad6abl6100c5 

Ciphertext  090339ec0aa6faefd5ccc2c6f4ce8e94 

Plaintext  ae2d8a571e03ac9c9eb76fac45af8e51 

Block  #3 

Input  Block  f0flf2f3f4f5f 6f7f8f 9fafbfcfdff01 

Output  Block  2efeae2d72b722613446dc7f4c2af 918 

Ciphertext  le3  6b2  6bdlebc67  0dlbdld6  65  62  Oabf 7 

Plaintext  30c81c46a35ce411e5fbcll91a0a52ef 

Block  #4 

Input  Block  f0flf2f3f4f5f 6f7f8f 9fafbfcfdff02 

Output  Block  b9e783b30dd7924ff7bc9b97beaa8740 

Ciphertext  4f 7  8a7f 6d2  98  0  9585a97daec58c6b050 

Plaintext  f 69f2445df 4f 9bl7ad2b417be66c3710 

F.5.5  CTR-AES256.  Encrypt 

Key  603debl015ca71be2b73aef 0857d7781 

If352c073b6108d72d9810a30914dff4 
Init.  Counter  f Of If 2f3f4f5f6f 7f8f9f afbf cfdfef f 

Block  #1 

Input  Block  f0flf2f3f4f5f 6f7f8f 9fafbfcfdfeff 

Output  Block  0bdf7df 1591716335e9a8bl5c860c502 

Plaintext  6bclbee22e409f96e93d7ell7393172a 

Ciphertext  601ec313775789a5b7a7f 504bbf 3d228 

Block  #2 

Input  Block  f0flf2f3f4f5f 6f7f8f 9fafbfcfdff00 

Output  Block  5a6e699d536119065433863c8f 657b94 

Plaintext  ae2d8a571e03ac9c9eb76fac45af8e51 

Ciphertext  f443e3ca4d62b59aca84e990cacaf5c5 

Block  #3 

Input  Block  f0flf2f3f4f5f 6f7f8f 9fafbfcfdff01 

Output  Block  Ibcl2c9c0 1 61 0d5d0d8bd6a337 8eca62 

Plaintext  30c81c46a35ce411e5fbcll91a0a52ef 

Ciphertext  2b0930daa23de94ce87017ba2d84988d 

Block  #4 

Input  Block  f0flf2f3f4f5f 6f7f8f 9fafbfcfdff02 

Output  Block  2 95 6elc8 69353 6blbee99c73a3157 6b6 

Plaintext  f 69f2445df 4f 9bl7ad2b417be66c3710 

Ciphertext  df c9c5  8db67aada613c2dd0  8  4  57  941a6 

F.5.6  CTR-AES256.  Decrypt 

Key  603debl015ca71be2b73aef 0857d7781 

If352c073b6108d72d9810a30914dff4 
Init.  Counter  f Of If 2f3f4f5f6f 7f8f9f afbf cfdfef f 
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Block  #1 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Block  #2 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Block  #3 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 
Block  #4 
Input  Block 
Output  Block 
Ciphertext 
Plaintext 


f0flf2f3f4f5f 6f7f8f 9fafbfcfdfeff 
0bdf7dfl591716335e9a8bl5c860c502 
601ec313775789a5b7a7f504bbf3d228 
6bclbee22e409f96e93d7el 173 93172a 

f0flf2f3f4f5f 6f7f8f 9fafbfcfdff00 
5a6e699d536119065433863c8f 657b94 
f443e3ca4d62b59aca84e990cacaf5c5 
ae2d8a571e03ac9c9eb76fac45af8e51 

f0flf2f3f4f5f 6f7f8f 9fafbfcfdff01 
Ibcl2c9c0 1 61 0d5d0d8bd6a337  8eca62 
2b0930daa23de94ce87017ba2d84988d 
30c81c46a35ce411e5fbcll91a0a52ef 

f0flf2f3f4f5f 6f7f8f 9fafbfcfdff02 
2956elc8693536blbee99c73a31576b6 
df c9c5  8db67aada613c2dd0  8  4  57  941a6 
f 69f2445df4f 9bl7ad2b417be66c3710 
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